Total
1532 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-47083 | 1 Spitfire Project | 1 Spitfire | 2024-08-03 | 8.8 High |
| A PHP Object Injection vulnerability in the unserialize() function Spitfire CMS v1.0.475 allows authenticated attackers to execute arbitrary code via sending crafted requests to the web application. | ||||
| CVE-2022-46478 | 1 Datax-web Project | 1 Datax-web | 2024-08-03 | 9.8 Critical |
| The RPC interface in datax-web v1.0.0 and v2.0.0 to v2.1.2 contains no permission checks by default which allows attackers to execute arbitrary commands via crafted Hessian serialized data. | ||||
| CVE-2022-45982 | 1 Thinkphp | 1 Thinkphp | 2024-08-03 | 9.8 Critical |
| thinkphp 6.0.0~6.0.13 and 6.1.0~6.1.1 contains a deserialization vulnerability. This vulnerability allows attackers to execute arbitrary code via a crafted payload. | ||||
| CVE-2022-45923 | 1 Opentext | 1 Opentext Extended Ecm | 2024-08-03 | 8.8 High |
| An issue was discovered in OpenText Content Suite Platform 22.1 (16.2.19.1803). The Common Gateway Interface (CGI) program cs.exe allows an attacker to increase/decrease an arbitrary memory address by 1 and trigger a call to a method of a vftable with a vftable pointer value chosen by the attacker. | ||||
| CVE-2022-45845 | 1 Nextendweb | 1 Smart Slider 3 | 2024-08-03 | 4.3 Medium |
| Deserialization of Untrusted Data vulnerability in Nextend Smart Slider 3.This issue affects Smart Slider 3: from n/a through 3.5.1.9. | ||||
| CVE-2022-45136 | 1 Apache | 1 Jena Sdb | 2024-08-03 | 9.8 Critical |
| Apache Jena SDB 3.17.0 and earlier is vulnerable to a JDBC Deserialisation attack if the attacker is able to control the JDBC URL used or cause the underlying database server to return malicious data. The mySQL JDBC driver in particular is known to be vulnerable to this class of attack. As a result an application using Apache Jena SDB can be subject to RCE when connected to a malicious database server. Apache Jena SDB has been EOL since December 2020 and users should migrate to alternative options e.g. Apache Jena TDB 2. | ||||
| CVE-2022-45147 | 2024-08-03 | 7.8 High | ||
| A vulnerability has been identified in SIMATIC PCS neo V4.0 (All versions), SIMATIC STEP 7 V16 (All versions), SIMATIC STEP 7 V17 (All versions), SIMATIC STEP 7 V18 (All versions < V18 Update 2). Affected applications do not properly restrict the .NET BinaryFormatter when deserializing user-controllable input. This could allow an attacker to cause a type confusion and execute arbitrary code within the affected application. This is the same issue that exists for .NET BinaryFormatter https://docs.microsoft.com/en-us/visualstudio/code-quality/ca2300. | ||||
| CVE-2022-45047 | 2 Apache, Redhat | 12 Sshd, Camel Spring Boot, Jboss Data Grid and 9 more | 2024-08-03 | 9.8 Critical |
| Class org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider in Apache MINA SSHD <= 2.9.1 uses Java deserialization to load a serialized java.security.PrivateKey. The class is one of several implementations that an implementor using Apache MINA SSHD can choose for loading the host keys of an SSH server. | ||||
| CVE-2022-45083 | 1 Properfraction | 1 Profilepress | 2024-08-03 | 6.6 Medium |
| Deserialization of Untrusted Data vulnerability in ProfilePress Membership Team Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress.This issue affects Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress: from n/a through 4.3.2. | ||||
| CVE-2022-44645 | 1 Apache | 1 Linkis | 2024-08-03 | 8.8 High |
| In Apache Linkis <=1.3.0 when used with the MySQL Connector/J, a deserialization vulnerability with possible remote code execution impact exists when an attacker has write access to a database and configures new datasource with a MySQL data source and malicious parameters. Therefore, the parameters in the jdbc url should be blacklisted. Versions of Apache Linkis <= 1.3.0 will be affected. We recommend users to upgrade the version of Linkis to version 1.3.1. | ||||
| CVE-2022-44542 | 1 Lesspipe Project | 1 Lesspipe | 2024-08-03 | 9.8 Critical |
| lesspipe before 2.06 allows attackers to execute code via Perl Storable (pst) files, because of deserialized object destructor execution via a key/value pair in a hash. | ||||
| CVE-2022-44558 | 1 Huawei | 2 Emui, Harmonyos | 2024-08-03 | 9.8 Critical |
| The AMS module has a vulnerability of serialization/deserialization mismatch. Successful exploitation of this vulnerability may cause privilege escalation. | ||||
| CVE-2022-44559 | 1 Huawei | 2 Emui, Harmonyos | 2024-08-03 | 9.8 Critical |
| The AMS module has a vulnerability of serialization/deserialization mismatch. Successful exploitation of this vulnerability may cause privilege escalation. | ||||
| CVE-2022-44371 | 1 Hope-boot Project | 1 Hope-boot | 2024-08-03 | 9.8 Critical |
| hope-boot 1.0.0 has a deserialization vulnerability that can cause Remote Code Execution (RCE). | ||||
| CVE-2022-44351 | 1 Skycaiji | 1 Skycaiji | 2024-08-03 | 9.8 Critical |
| Skycaiji v2.5.1 was discovered to contain a deserialization vulnerability via /SkycaijiApp/admin/controller/Mystore.php. | ||||
| CVE-2022-43567 | 1 Splunk | 2 Splunk, Splunk Cloud Platform | 2024-08-03 | 8.8 High |
| In Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, an authenticated user can run arbitrary operating system commands remotely through the use of specially crafted requests to the mobile alerts feature in the Splunk Secure Gateway app. | ||||
| CVE-2022-43019 | 1 Opencats | 1 Opencats | 2024-08-03 | 9.8 Critical |
| OpenCATS v0.9.6 was discovered to contain a remote code execution (RCE) vulnerability via the getDataGridPager's ajax functionality. | ||||
| CVE-2022-42004 | 5 Debian, Fasterxml, Netapp and 2 more | 19 Debian Linux, Jackson-databind, Oncommand Workflow Automation and 16 more | 2024-08-03 | 7.5 High |
| In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization. | ||||
| CVE-2022-42003 | 5 Debian, Fasterxml, Netapp and 2 more | 20 Debian Linux, Jackson-databind, Oncommand Workflow Automation and 17 more | 2024-08-03 | 7.5 High |
| In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. | ||||
| CVE-2022-41966 | 2 Redhat, Xstream Project | 10 Camel Quarkus, Camel Spring Boot, Jboss Enterprise Bpms Platform and 7 more | 2024-08-03 | 8.2 High |
| XStream serializes Java objects to XML and back again. Versions prior to 1.4.20 may allow a remote attacker to terminate the application with a stack overflow error, resulting in a denial of service only via manipulation the processed input stream. The attack uses the hash code implementation for collections and maps to force recursive hash calculation causing a stack overflow. This issue is patched in version 1.4.20 which handles the stack overflow and raises an InputManipulationException instead. A potential workaround for users who only use HashMap or HashSet and whose XML refers these only as default map or set, is to change the default implementation of java.util.Map and java.util per the code example in the referenced advisory. However, this implies that your application does not care about the implementation of the map and all elements are comparable. | ||||