Vulnerabilities (CVE)

Filtered by CWE-502
Total 765 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-31115 2022-07-01 N/A N/A
opensearch-ruby is a community-driven, open source fork of elasticsearch-ruby. In versions prior to 2.0.1 the ruby `YAML.load` function was used instead of `YAML.safe_load`. As a result opensearch-ruby 2.0.0 and prior can lead to unsafe deserialization using YAML.load if the response is of type YAML. An attacker must be in control of an opensearch server and convince the victim to connect to it in order to exploit this vulnerability. The problem has been patched in opensearch-ruby gem version 2.0.1. Users are advised to upgrade. There are no known workarounds for this issue.
CVE-2021-44228 10 Apache, Bentley, Cisco and 7 more 155 Log4j, Synchro, Synchro 4d and 152 more 2022-06-30 9.3 HIGH 10.0 CRITICAL
Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
CVE-2020-25258 1 Hyland 1 Onbase 2022-06-30 7.5 HIGH 9.8 CRITICAL
An issue was discovered in Hyland OnBase and below, and below, and below, and below and and below. It uses ASP.NET BinaryFormatter.Deserialize in a manner that allows attackers to transmit and execute bytecode in SOAP messages.
CVE-2020-25260 1 Hyland 1 Onbase 2022-06-30 7.5 HIGH 9.8 CRITICAL
An issue was discovered in Hyland OnBase and below, and below, and below, and below and and below. It allows remote attackers to execute arbitrary code because of unsafe JSON deserialization.
CVE-2020-25259 1 Hyland 1 Onbase 2022-06-30 7.5 HIGH 9.8 CRITICAL
An issue was discovered in Hyland OnBase and below, and below, and below, and below and and below. It uses XML deserialization libraries in an unsafe manner.
CVE-2020-4280 2 Ibm, Linux 2 Qradar Security Information And Event Manager, Linux Kernel 2022-06-29 9.0 HIGH 8.8 HIGH
IBM QRadar SIEM 7.3 and 7.4 could allow a remote attacker to execute arbitrary commands on the system, caused by insecure deserialization of user-supplied content by the Java deserialization function. By sending a malicious serialized Java object, an attacker could exploit this vulnerability to execute arbitrary commands on the system. IBM X-Force ID: 176140.
CVE-2020-28032 3 Debian, Fedoraproject, Wordpress 3 Debian Linux, Fedora, Wordpress 2022-06-29 7.5 HIGH 9.8 CRITICAL
WordPress before 5.5.2 mishandles deserialization requests in wp-includes/Requests/Utility/FilteredIterator.php.
CVE-2019-5069 1 Epignosishq 1 Efront Lms 2022-06-27 6.5 MEDIUM 8.8 HIGH
A code execution vulnerability exists in Epignosis eFront LMS v5.2.12. A specially crafted web request can cause unsafe deserialization potentially resulting in PHP code being executed. An attacker can send a crafted web parameter to trigger this vulnerability.
CVE-2022-29615 1 Sap 1 Netweaver Developer Studio 2022-06-24 3.6 LOW 3.4 LOW
SAP NetWeaver Developer Studio (NWDS) - version 7.50, is based on Eclipse, which contains the logging framework log4j in version 1.x. The application's confidentiality and integrity could have a low impact due to the vulnerabilities associated with version 1.x.
CVE-2022-20195 1 Google 1 Android 2022-06-24 1.9 LOW 5.0 MEDIUM
In the keystore library, there is a possible prevention of access to system Settings due to unsafe deserialization. This could lead to local denial of service with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-12LAndroid ID: A-213172664
CVE-2011-2894 1 Vmware 2 Spring Framework, Spring Security 2022-06-21 6.8 MEDIUM N/A
Spring Framework 3.0.0 through 3.0.5, Spring Security 3.0.0 through 3.0.5 and 2.0.0 through 2.0.6, and possibly other versions deserialize objects from untrusted sources, which allows remote attackers to bypass intended security restrictions and execute untrusted code by (1) serializing a java.lang.Proxy instance and using InvocationHandler, or (2) accessing internal AOP interfaces, as demonstrated using deserialization of a DefaultListableBeanFactory instance to execute arbitrary commands via the java.lang.Runtime class.
CVE-2022-25863 1 Gatsbyjs 1 Gatsby 2022-06-17 7.5 HIGH 9.8 CRITICAL
The package gatsby-plugin-mdx before 2.14.1, from 3.0.0 and before 3.15.2 are vulnerable to Deserialization of Untrusted Data when passing input through to the gray-matter package, due to its default configurations that are missing input sanitization. Exploiting this vulnerability is possible when passing input in both webpack (MDX files in src/pages or MDX file imported as a component in frontend / React code) and data mode (querying MDX nodes via GraphQL). Workaround: If an older version of gatsby-plugin-mdx must be used, input passed into the plugin should be sanitized ahead of processing.
CVE-2022-25845 1 Alibaba 1 Fastjson 2022-06-17 6.8 MEDIUM 9.8 CRITICAL
The package before 1.2.83 are vulnerable to Deserialization of Untrusted Data by bypassing the default autoType shutdown restrictions, which is possible under certain conditions. Exploiting this vulnerability allows attacking remote servers. Workaround: If upgrading is not possible, you can enable [safeMode](
CVE-2022-23307 3 Apache, Oracle, Qos 23 Chainsaw, Log4j, Advanced Supply Chain Planning and 20 more 2022-06-16 9.0 HIGH 8.8 HIGH
CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.
CVE-2022-23302 5 Apache, Broadcom, Netapp and 2 more 24 Log4j, Brocade Sannav, Snapmanager and 21 more 2022-06-16 6.0 MEDIUM 8.8 HIGH
JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
CVE-2022-31279 1 Laravel 1 Laravel 2022-06-14 7.5 HIGH 9.8 CRITICAL
Laravel 9.1.8, when processing attacker-controlled data for deserialization, allows Remote Code Execution (RCE) via an unserialized pop chain in __destruct in Illuminate\Broadcasting\PendingBroadcast.php and __call in Faker\Generator.php.
CVE-2017-1000353 2 Jenkins, Oracle 2 Jenkins, Communications Cloud Native Core Automated Test Suite 2022-06-13 7.5 HIGH 9.8 CRITICAL
Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated remote code execution. An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java `SignedObject` object to the Jenkins CLI, that would be deserialized using a new `ObjectInputStream`, bypassing the existing blacklist-based protection mechanism. We're fixing this issue by adding `SignedObject` to the blacklist. We're also backporting the new HTTP CLI protocol from Jenkins 2.54 to LTS 2.46.2, and deprecating the remoting-based (i.e. Java serialization) CLI protocol, disabling it by default.
CVE-2018-1000861 2 Jenkins, Redhat 2 Jenkins, Openshift Container Platform 2022-06-13 10.0 HIGH 9.8 CRITICAL
A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in stapler/core/src/main/java/org/kohsuke/stapler/ that allows attackers to invoke some methods on Java objects by accessing crafted URLs that were not intended to be invoked this way.
CVE-2019-10086 6 Apache, Debian, Fedoraproject and 3 more 60 Commons Beanutils, Nifi, Debian Linux and 57 more 2022-06-13 7.5 HIGH 7.3 HIGH
In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.
CVE-2016-1000027 1 Vmware 1 Spring Framework 2022-06-10 7.5 HIGH 9.8 CRITICAL
Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.