Total
1860 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2016-4000 | 2 Debian, Jython Project | 2 Debian Linux, Jython | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| Jython before 2.7.1rc1 allows attackers to execute arbitrary code via a crafted serialized PyFunction object. | |||||
| CVE-2017-12612 | 1 Apache | 1 Spark | 2025-04-20 | 7.2 HIGH | 7.8 HIGH |
| In Apache Spark 1.6.0 until 2.1.1, the launcher API performs unsafe deserialization of data received by its socket. This makes applications launched programmatically using the launcher API potentially vulnerable to arbitrary code execution by an attacker with access to any user account on the local machine. It does not affect apps run by spark-submit or spark-shell. The attacker would be able to execute code as the user that ran the Spark application. Users are encouraged to update to version 2.2.0 or later. | |||||
| CVE-2016-7050 | 1 Redhat | 4 Enterprise Linux Desktop, Enterprise Linux Hpc Node, Enterprise Linux Server and 1 more | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| SerializableProvider in RESTEasy in Red Hat Enterprise Linux Desktop 7, Red Hat Enterprise Linux HPC Node 7, Red Hat Enterprise Linux Server 7, and Red Hat Enterprise Linux Workstation 7 allows remote attackers to execute arbitrary code. | |||||
| CVE-2017-14035 | 1 Crushftp | 1 Crushftp | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| CrushFTP 8.x before 8.2.0 has a serialization vulnerability. | |||||
| CVE-2017-11284 | 1 Adobe | 1 Coldfusion | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| Adobe ColdFusion has an Untrusted Data Deserialization vulnerability. This affects Update 4 and earlier versions for ColdFusion 2016, and Update 12 and earlier versions for ColdFusion 11. | |||||
| CVE-2017-3066 | 1 Adobe | 1 Coldfusion | 2025-04-20 | 10.0 HIGH | 9.8 CRITICAL |
| Adobe ColdFusion 2016 Update 3 and earlier, ColdFusion 11 update 11 and earlier, ColdFusion 10 Update 22 and earlier have a Java deserialization vulnerability in the Apache BlazeDS library. Successful exploitation could lead to arbitrary code execution. | |||||
| CVE-2016-6809 | 1 Apache | 2 Nutch, Tika | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| Apache Tika before 1.14 allows Java code execution for serialized objects embedded in MATLAB files. The issue exists because Tika invokes JMatIO to do native deserialization. | |||||
| CVE-2017-9363 | 1 Soffid | 1 Iam | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| Untrusted Java serialization in Soffid IAM console before 1.7.5 allows remote attackers to achieve arbitrary remote code execution via a crafted authentication request. | |||||
| CVE-2017-14141 | 1 Kaltura | 1 Kaltura Server | 2025-04-20 | 6.5 MEDIUM | 7.2 HIGH |
| The wiki_decode Developer System Helper function in the admin panel in Kaltura before 13.2.0 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object. | |||||
| CVE-2017-5878 | 1 Red5 | 1 Media Server | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| The AMF unmarshallers in Red5 Media Server before 1.0.8 do not restrict the classes for which it performs deserialization, which allows remote attackers to execute arbitrary code via crafted serialized Java data. | |||||
| CVE-2017-4995 | 1 Vmware | 1 Spring Security | 2025-04-20 | 6.8 MEDIUM | 8.1 HIGH |
| An issue was discovered in Pivotal Spring Security 4.2.0.RELEASE through 4.2.2.RELEASE, and Spring Security 5.0.0.M1. When configured to enable default typing, Jackson contained a deserialization vulnerability that could lead to arbitrary code execution. Jackson fixed this vulnerability by blacklisting known "deserialization gadgets." Spring Security configures Jackson with global default typing enabled, which means that (through the previous exploit) arbitrary code could be executed if all of the following is true: (1) Spring Security's Jackson support is being leveraged by invoking SecurityJackson2Modules.getModules(ClassLoader) or SecurityJackson2Modules.enableDefaultTyping(ObjectMapper); (2) Jackson is used to deserialize data that is not trusted (Spring Security does not perform deserialization using Jackson, so this is an explicit choice of the user); and (3) there is an unknown (Jackson is not blacklisting it already) "deserialization gadget" that allows code execution present on the classpath. Jackson provides a blacklisting approach to protecting against this type of attack, but Spring Security should be proactive against blocking unknown "deserialization gadgets" when Spring Security enables default typing. | |||||
| CVE-2017-3159 | 1 Apache | 1 Camel | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| Apache Camel's camel-snakeyaml component is vulnerable to Java object de-serialization vulnerability. De-serializing untrusted data can lead to security flaws. | |||||
| CVE-2017-8829 | 1 Debian | 1 Lintian | 2025-04-20 | 6.8 MEDIUM | 7.8 HIGH |
| Deserialization vulnerability in lintian through 2.5.50.3 allows attackers to trigger code execution by requesting a review of a source package with a crafted YAML file. | |||||
| CVE-2017-12634 | 1 Apache | 1 Camel | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| The camel-castor component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-serialisation vulnerability. De-serializing untrusted data can lead to security flaws. | |||||
| CVE-2017-11143 | 1 Php | 1 Php | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| In PHP before 5.6.31, an invalid free in the WDDX deserialization of boolean parameters could be used by attackers able to inject XML for deserialization to crash the PHP interpreter, related to an invalid free for an empty boolean element in ext/wddx/wddx.c. | |||||
| CVE-2017-1000053 | 1 Plug Project | 1 Plug | 2025-04-20 | 6.8 MEDIUM | 8.1 HIGH |
| Elixir Plug before v1.0.4, v1.1.7, v1.2.3 and v1.3.2 is vulnerable to arbitrary code execution in the deserialization functions of Plug.Session. | |||||
| CVE-2017-2292 | 1 Puppet | 1 Mcollective | 2025-04-20 | 7.5 HIGH | 9.0 CRITICAL |
| Versions of MCollective prior to 2.10.4 deserialized YAML from agents without calling safe_load, allowing the potential for arbitrary code execution on the server. The fix for this is to call YAML.safe_load on input. This has been tested in all Puppet-supplied MCollective plugins, but there is a chance that third-party plugins could rely on this insecure behavior. | |||||
| CVE-2016-8736 | 1 Apache | 1 Openmeetings | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| Apache OpenMeetings before 3.1.2 is vulnerable to Remote Code Execution via RMI deserialization attack. | |||||
| CVE-2017-10803 | 1 Odoo | 1 Odoo | 2025-04-20 | 8.5 HIGH | 6.5 MEDIUM |
| In Odoo 8.0, Odoo Community Edition 9.0 and 10.0, and Odoo Enterprise Edition 9.0 and 10.0, insecure handling of anonymization data in the Database Anonymization module allows remote authenticated privileged users to execute arbitrary Python code, because unpickle is used. | |||||
| CVE-2016-4483 | 3 Debian, Oracle, Xmlsoft | 3 Debian Linux, Solaris, Libxml2 | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| The xmlBufAttrSerializeTxtContent function in xmlsave.c in libxml2 allows context-dependent attackers to cause a denial of service (out-of-bounds read and application crash) via a non-UTF-8 attribute value, related to serialization. NOTE: this vulnerability may be a duplicate of CVE-2016-3627. | |||||