Total
1532 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-34371 | 1 Neo4j | 1 Neo4j | 2024-08-04 | 9.8 Critical |
| Neo4j through 3.4.18 (with the shell server enabled) exposes an RMI service that arbitrarily deserializes Java objects, e.g., through setSessionVariable. An attacker can abuse this for remote code execution because there are dependencies with exploitable gadget chains. | ||||
| CVE-2021-34066 | 1 Edgegallery | 1 Developer-be | 2024-08-04 | 9.8 Critical |
| An issue was discovered in EdgeGallery/developer before v1.0. There is a "Deserialization of yaml file" vulnerability that can allow attackers to execute system command through uploading the malicious constructed YAML file. | ||||
| CVE-2021-33898 | 1 Invoiceninja | 1 Invoice Ninja | 2024-08-04 | 8.1 High |
| In Invoice Ninja before 4.4.0, there is an unsafe call to unserialize() in app/Ninja/Repositories/AccountRepository.php that may allow an attacker to deserialize arbitrary PHP classes. In certain contexts, this can result in remote code execution. The attacker's input must be hosted at http://www.geoplugin.net (cleartext HTTP), and thus a successful attack requires spoofing that site or obtaining control of it. | ||||
| CVE-2021-33790 | 2 Minecraft, Techreborn | 2 Minecraft, Reborncore | 2024-08-03 | 9.8 Critical |
| The RebornCore library before 4.7.3 allows remote code execution because it deserializes untrusted data in ObjectInputStream.readObject as part of reborncore.common.network.ExtendedPacketBuffer. An attacker can instantiate any class on the classpath with any data. A class usable for exploitation might or might not be present, depending on what Minecraft modifications are installed. | ||||
| CVE-2021-33806 | 1 Bdew | 1 Bdlib | 2024-08-03 | 9.8 Critical |
| The BDew BdLib library before 1.16.1.7 for Minecraft allows remote code execution because it deserializes untrusted data in ObjectInputStream.readObject as part of its use of Java serialization. | ||||
| CVE-2021-33728 | 1 Siemens | 1 Sinec Nms | 2024-08-03 | 7.2 High |
| A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1). The affected system allows to upload JSON objects that are deserialized to JAVA objects. Due to insecure deserialization of user-supplied content by the affected software, a privileged attacker could exploit this vulnerability by sending a crafted serialized Java object. An exploit could allow the attacker to execute arbitrary code on the device with root privileges. | ||||
| CVE-2021-33420 | 1 Replicator Project | 1 Replicator | 2024-08-03 | 9.8 Critical |
| A deserialization issue discovered in inikulin replicator before 1.0.4 allows remote attackers to run arbitrary code via the fromSerializable function in TypedArray object. | ||||
| CVE-2021-33207 | 1 Softwareag | 1 Mashzone Nextgen | 2024-08-03 | 9.8 Critical |
| The HTTP client in MashZone NextGen through 10.7 GA deserializes untrusted data when it gets an HTTP response with a 570 status code. | ||||
| CVE-2021-33175 | 1 Emqx | 1 Emq X Broker | 2024-08-03 | 7.5 High |
| EMQ X Broker versions prior to 4.2.8 are vulnerable to a denial of service attack as a result of excessive memory consumption due to the handling of untrusted inputs. These inputs cause the message broker to consume large amounts of memory, resulting in the application being terminated by the operating system. | ||||
| CVE-2021-33176 | 1 Octavolabs | 1 Vernemq | 2024-08-03 | 7.5 High |
| VerneMQ MQTT Broker versions prior to 1.12.0 are vulnerable to a denial of service attack as a result of excessive memory consumption due to the handling of untrusted inputs. These inputs cause the message broker to consume large amounts of memory, resulting in the application being terminated by the operating system. | ||||
| CVE-2021-33036 | 1 Apache | 1 Hadoop | 2024-08-03 | 8.8 High |
| In Apache Hadoop 2.2.0 to 2.10.1, 3.0.0-alpha1 to 3.1.4, 3.2.0 to 3.2.2, and 3.3.0 to 3.3.1, a user who can escalate to yarn user can possibly run arbitrary commands as root user. Users should upgrade to Apache Hadoop 2.10.2, 3.2.3, 3.3.2 or higher. | ||||
| CVE-2021-32935 | 1 Cognex | 1 In-sight Opc Server | 2024-08-03 | 8.8 High |
| The affected Cognex product, the In-Sight OPC Server versions v5.7.4 (96) and prior, deserializes untrusted data, which could allow a remote attacker access to system level permission commands and local privilege escalation. | ||||
| CVE-2021-32828 | 1 Hyland | 1 Nuxeo | 2024-08-03 | 5.4 Medium |
| The Nuxeo Platform is an open source content management platform for building business applications. In version 11.5.109, the `oauth2` REST API is vulnerable to Reflected Cross-Site Scripting (XSS). This XSS can be escalated to Remote Code Execution (RCE) by levering the automation API. | ||||
| CVE-2021-32836 | 1 Zstack | 1 Zstack | 2024-08-03 | 7.5 High |
| ZStack is open source IaaS(infrastructure as a service) software. In ZStack before versions 3.10.12 and 4.1.6 there is a pre-auth unsafe deserialization vulnerability in the REST API. An attacker in control of the request body will be able to provide both the class name and the data to be deserialized and therefore will be able to instantiate an arbitrary type and assign arbitrary values to its fields. This issue may lead to a Denial Of Service. If a suitable gadget is available, then an attacker may also be able to exploit this vulnerability to gain pre-auth remote code execution. For additional details see the referenced GHSL-2021-087. | ||||
| CVE-2021-32824 | 1 Apache | 1 Dubbo | 2024-08-03 | 9.8 Critical |
| Apache Dubbo is a java based, open source RPC framework. Versions prior to 2.6.10 and 2.7.10 are vulnerable to pre-auth remote code execution via arbitrary bean manipulation in the Telnet handler. The Dubbo main service port can be used to access a Telnet Handler which offers some basic methods to collect information about the providers and methods exposed by the service and it can even allow to shutdown the service. This endpoint is unprotected. Additionally, a provider method can be invoked using the `invoke` handler. This handler uses a safe version of FastJson to process the call arguments. However, the resulting list is later processed with `PojoUtils.realize` which can be used to instantiate arbitrary classes and invoke its setters. Even though FastJson is properly protected with a default blocklist, `PojoUtils.realize` is not, and an attacker can leverage that to achieve remote code execution. Versions 2.6.10 and 2.7.10 contain fixes for this issue. | ||||
| CVE-2021-32742 | 1 Vapor Project | 1 Vapor | 2024-08-03 | 7.5 High |
| Vapor is a web framework for Swift. In versions 4.47.1 and prior, bug in the `Data.init(base32Encoded:)` function opens up the potential for exposing server memory and/or crashing the server (Denial of Service) for applications where untrusted data can end up in said function. Vapor does not currently use this function itself so this only impact applications that use the impacted function directly or through other dependencies. The vulnerability is patched in version 4.47.2. As a workaround, one may use an alternative to Vapor's built-in `Data.init(base32Encoded:)`. | ||||
| CVE-2021-32634 | 1 Nsa | 1 Emissary | 2024-08-03 | 7.2 High |
| Emissary is a distributed, peer-to-peer, data-driven workflow framework. Emissary 6.4.0 is vulnerable to Unsafe Deserialization of post-authenticated requests to the [`WorkSpaceClientEnqueue.action`](https://github.com/NationalSecurityAgency/emissary/blob/30c54ef16c6eb6ed09604a929939fb9f66868382/src/main/java/emissary/server/mvc/internal/WorkSpaceClientEnqueueAction.java) REST endpoint. This issue may lead to post-auth Remote Code Execution. This issue has been patched in version 6.5.0. As a workaround, one can disable network access to Emissary from untrusted sources. | ||||
| CVE-2021-32568 | 1 Mrdoc | 1 Mrdoc | 2024-08-03 | 7.8 High |
| mrdoc is vulnerable to Deserialization of Untrusted Data | ||||
| CVE-2021-32098 | 1 Artica | 1 Pandora Fms | 2024-08-03 | 9.8 Critical |
| Artica Pandora FMS 742 allows unauthenticated attackers to perform Phar deserialization. | ||||
| CVE-2021-32075 | 1 Re-logic | 1 Terraria | 2024-08-03 | 9.8 Critical |
| Re-Logic Terraria before 1.4.2.3 performs Insecure Deserialization. | ||||