Total
1809 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2017-5792 | 1 Hp | 1 Intelligent Management Center | 2024-11-21 | N/A |
| A Remote Code Execution vulnerability in HPE Intelligent Management Center (iMC) PLAT version 7.3 E0504P2 was found. | ||||
| CVE-2017-5790 | 1 Hp | 1 Intelligent Management Center | 2024-11-21 | N/A |
| A remote deserialization of untrusted data vulnerability in HPE Intelligent Management Center (IMC) PLAT version 7.2 E0403P06 was found. | ||||
| CVE-2017-4947 | 1 Vmware | 2 Vrealize Automation, Vsphere Integrated Containers | 2024-11-21 | N/A |
| VMware vRealize Automation (7.3 and 7.2) and vSphere Integrated Containers (1.x before 1.3) contain a deserialization vulnerability via Xenon. Successful exploitation of this issue may allow remote attackers to execute arbitrary code on the appliance. | ||||
| CVE-2017-3207 | 1 Themidnightcoders | 1 Weborb For Java | 2024-11-21 | N/A |
| The Java implementations of AMF3 deserializers in WebORB for Java by Midnight Coders, version 5.1.1.0, derive class instances from java.io.Externalizable rather than the AMF3 specification's recommendation of flash.utils.IExternalizable. A remote attacker with the ability to spoof or control an RMI server connection may be able to send serialized Java objects that execute arbitrary code when deserialized. | ||||
| CVE-2017-3203 | 1 Pivotal | 1 Spring-flex | 2024-11-21 | N/A |
| The Java implementations of AMF3 deserializers in Pivotal/Spring Spring-flex derive class instances from java.io.Externalizable rather than the AMF3 specification's recommendation of flash.utils.IExternalizable. A remote attacker with the ability to spoof or control an RMI server connection may be able to send serialized Java objects that execute arbitrary code when deserialized. | ||||
| CVE-2017-3202 | 1 Exadel | 1 Flamingo | 2024-11-21 | N/A |
| The Java implementation of AMF3 deserializers used in Flamingo amf-serializer by Exadel, version 2.2.0, may allow instantiation of arbitrary classes via their public parameter-less constructor and subsequently call arbitrary Java Beans setter methods. The ability to exploit this vulnerability depends on the availability of classes in the class path that make use of deserialization. A remote attacker with the ability to spoof or control information may be able to send serialized Java objects with pre-set properties that result in arbitrary code execution when deserialized. | ||||
| CVE-2017-3201 | 1 Exadel | 1 Flamingo Amf-serializer | 2024-11-21 | N/A |
| The Java implementation of AMF3 deserializers used in Flamingo amf-serializer by Exadel, version 2.2.0 derives class instances from java.io.Externalizable rather than the AMF3 specification's recommendation of flash.utils.IExternalizable. A remote attacker with the ability to spoof or control an RMI server connection may be able to send serialized Java objects that execute arbitrary code when deserialized. | ||||
| CVE-2017-3200 | 1 Graniteds | 1 Graniteds | 2024-11-21 | 8.1 High |
| The Java implementation of AMF3 deserializers used in GraniteDS, version 3.1.1.G, may allow instantiation of arbitrary classes via their public parameter-less constructor and subsequently call arbitrary Java Beans setter methods. The ability to exploit this vulnerability depends on the availability of classes in the class path that make use of deserialization. A remote attacker with the ability to spoof or control information may be able to send serialized Java objects with pre-set properties that result in arbitrary code execution when deserialized. | ||||
| CVE-2017-3199 | 1 Graniteds | 1 Graniteds | 2024-11-21 | 8.1 High |
| The Java implementation of GraniteDS, version 3.1.1.GA, AMF3 deserializers derives class instances from java.io.Externalizable rather than the AMF3 specification's recommendation of flash.utils.IExternalizable. A remote attacker with the ability to spoof or control an RMI server connection may be able to send serialized Java objects that execute arbitrary code when deserialized. | ||||
| CVE-2017-2608 | 1 Jenkins | 1 Jenkins | 2024-11-21 | N/A |
| Jenkins before versions 2.44, 2.32.2 is vulnerable to a remote code execution vulnerability involving the deserialization of various types in javax.imageio in XStream-based APIs (SECURITY-383). | ||||
| CVE-2017-20189 | 1 Clojure | 1 Clojure | 2024-11-21 | 9.8 Critical |
| In Clojure before 1.9.0, classes can be used to construct a serialized object that executes arbitrary code upon deserialization. This is relevant if a server deserializes untrusted objects. | ||||
| CVE-2017-1677 | 3 Ibm, Linux, Microsoft | 3 Db2, Linux Kernel, Windows | 2024-11-21 | N/A |
| IBM Data Server Driver for JDBC and SQLJ (IBM DB2 for Linux, UNIX and Windows 9.7, 10.1, 10.5, and 11.1) deserializes the contents of /tmp/connlicj.bin which leads to object injection and potentially arbitrary code execution depending on the classpath. IBM X-Force ID: 133999. | ||||
| CVE-2017-18605 | 1 Gravitatedesign | 1 Gravitate Qa Tracker | 2024-11-21 | 9.8 Critical |
| The gravitate-qa-tracker plugin through 1.2.1 for WordPress has PHP Object Injection. | ||||
| CVE-2017-18604 | 1 Sitebuilder Dynamic Components Project | 1 Sitebuilder Dynamic Components | 2024-11-21 | 7.5 High |
| The sitebuilder-dynamic-components plugin through 1.0 for WordPress has PHP object injection via an AJAX request. | ||||
| CVE-2017-18375 | 1 Ampache | 1 Ampache | 2024-11-21 | N/A |
| Ampache 3.8.3 allows PHP Object Instantiation via democratic.ajax.php and democratic.class.php. | ||||
| CVE-2017-18365 | 1 Github | 1 Github | 2024-11-21 | N/A |
| The Management Console in GitHub Enterprise 2.8.x before 2.8.7 has a deserialization issue that allows unauthenticated remote attackers to execute arbitrary code. This occurs because the enterprise session secret is always the same, and can be found in the product's source code. By sending a crafted cookie signed with this secret, one can call Marshal.load with arbitrary data, which is a problem because the Marshal data format allows Ruby objects. | ||||
| CVE-2017-18342 | 2 Fedoraproject, Pyyaml | 2 Fedora, Pyyaml | 2024-11-21 | 9.8 Critical |
| In PyYAML before 5.1, the yaml.load() API could execute arbitrary code if used with untrusted data. The load() function has been deprecated in version 5.1 and the 'UnsafeLoader' has been introduced for backward compatibility with the function. | ||||
| CVE-2017-17485 | 4 Debian, Fasterxml, Netapp and 1 more | 15 Debian Linux, Jackson-databind, E-series Santricity Os Controller and 12 more | 2024-11-21 | 9.8 Critical |
| FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath. | ||||
| CVE-2017-17406 | 1 Netgain-systems | 1 Enterprise Manager | 2024-11-21 | N/A |
| This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Netgain Enterprise Manager. Authentication is not required to exploit this vulnerability. The specific flaw exists within an exposed RMI registry, which listens on TCP ports 1800 and 1850 by default. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute arbitrary code under the context of the current process. Was ZDI-CAN-4753. | ||||
| CVE-2017-15703 | 1 Apache | 1 Nifi | 2024-11-21 | N/A |
| Any authenticated user (valid client certificate but without ACL permissions) could upload a template which contained malicious code and caused a denial of service via Java deserialization attack. The fix to properly handle Java deserialization was applied on the Apache NiFi 1.4.0 release. Users running a prior 1.x release should upgrade to the appropriate release. | ||||