Total
1749 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-8801 | 1 Salesagility | 1 Suitecrm | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| SuiteCRM through 7.11.11 allows PHAR Deserialization. | |||||
| CVE-2020-8441 | 1 Jyaml Project | 1 Jyaml | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| JYaml through 1.3 allows remote code execution during deserialization of a malicious payload through the load() function. NOTE: this is a discontinued product. | |||||
| CVE-2020-8165 | 3 Debian, Opensuse, Rubyonrails | 3 Debian Linux, Leap, Rails | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| A deserialization of untrusted data vulnernerability exists in rails < 5.2.4.3, rails < 6.0.3.1 that can allow an attacker to unmarshal user-provided objects in MemCacheStore and RedisCacheStore potentially resulting in an RCE. | |||||
| CVE-2020-8164 | 3 Debian, Opensuse, Rubyonrails | 4 Debian Linux, Backports Sle, Leap and 1 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| A deserialization of untrusted data vulnerability exists in rails < 5.2.4.3, rails < 6.0.3.1 which can allow an attacker to supply information can be inadvertently leaked fromStrong Parameters. | |||||
| CVE-2020-7811 | 2 Microsoft, Samsung | 2 Windows, Update | 2024-11-21 | 4.6 MEDIUM | 6.2 MEDIUM |
| Samsung Update 3.0.2.0 ~ 3.0.32.0 has a vulnerability that allows privilege escalation as commands crafted by attacker are executed while the engine deserializes the data received during inter-process communication | |||||
| CVE-2020-7660 | 1 Verizon | 1 Serialize-javascript | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
| serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js". | |||||
| CVE-2020-7610 | 1 Mongodb | 1 Bson | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsotype, leading to cases where an object is serialized as a document rather than the intended BSON type. | |||||
| CVE-2020-7532 | 1 Schneider-electric | 1 Scadapack X70 Security Administrator | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
| A CWE-502 Deserialization of Untrusted Data vulnerability exists in SCADAPack x70 Security Administrator (V1.2.0 and prior) which could allow arbitrary code execution when an attacker builds a custom .SDB file containing a malicious serialized buffer. | |||||
| CVE-2020-7528 | 1 Schneider-electric | 1 Scadapack 7x Remote Connect | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
| A CWE-502 Deserialization of Untrusted Data vulnerability exists in SCADAPack 7x Remote Connect (V3.6.3.574 and prior) which could allow arbitrary code execution when an attacker builds a custom .PRJ file containing a malicious serialized buffer. | |||||
| CVE-2020-7385 | 1 Rapid7 | 1 Metasploit | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
| By launching the drb_remote_codeexec exploit, a Metasploit Framework user will inadvertently expose Metasploit to the same deserialization issue that is exploited by that module, due to the reliance on the vulnerable Distributed Ruby class functions. Since Metasploit Framework typically runs with elevated privileges, this can lead to a system compromise on the Metasploit workstation. Note that an attacker would have to lie in wait and entice the Metasploit user to run the affected module against a malicious endpoint in a "hack-back" type of attack. Metasploit is only vulnerable when the drb_remote_codeexec module is running. In most cases, this cannot happen automatically. | |||||
| CVE-2020-6967 | 1 Rockwellautomation | 1 Factorytalk Services Platform | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| In Rockwell Automation all versions of FactoryTalk Diagnostics software, a subsystem of the FactoryTalk Services Platform, FactoryTalk Diagnostics exposes a .NET Remoting endpoint via RNADiagnosticsSrv.exe at TCPtcp/8082, which can insecurely deserialize untrusted data. | |||||
| CVE-2020-6959 | 1 Honeywell | 12 Hnmswvms, Hnmswvms Firmware, Hnmswvmslt and 9 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The following versions of MAXPRO VMS and NVR, MAXPRO VMS:HNMSWVMS prior to Version VMS560 Build 595 T2-Patch, HNMSWVMSLT prior to Version VMS560 Build 595 T2-Patch, MAXPRO NVR: MAXPRO NVR XE prior to Version NVR 5.6 Build 595 T2-Patch, MAXPRO NVR SE prior to Version NVR 5.6 Build 595 T2-Patch, MAXPRO NVR PE prior to Version NVR 5.6 Build 595 T2-Patch, and MPNVRSWXX prior to Version NVR 5.6 Build 595 T2-Patch are vulnerable to an unsafe deserialization of untrusted data. An attacker may be able to remotely modify deserialized data without authentication using a specially crafted web request, resulting in remote code execution. | |||||
| CVE-2020-6770 | 1 Bosch | 5 Bosch Video Management System Mobile Video Service, Divar Ip 3000, Divar Ip 3000 Firmware and 2 more | 2024-11-21 | 10.0 HIGH | 10.0 CRITICAL |
| Deserialization of Untrusted Data in the BVMS Mobile Video Service (BVMS MVS) allows an unauthenticated remote attacker to execute arbitrary code on the system. This affects Bosch BVMS versions 10.0 <= 10.0.0.1225, 9.0 <= 9.0.0.827, 8.0 <= 8.0.0.329 and 7.5 and older. This affects Bosch DIVAR IP 3000 and DIVAR IP 7000 if a vulnerable BVMS version is installed. | |||||
| CVE-2020-6219 | 1 Sap | 2 Businessobjects Business Intelligence Platform, Crystal Reports For Visual Studio | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| SAP Business Objects Business Intelligence Platform (CrystalReports WebForm Viewer), versions 4.1, 4.2, and Crystal Reports for VS version 2010, allows an attacker with basic authorization to perform deserialization attack in the application, leading to service interruptions and denial of service and unauthorized execution of arbitrary commands, leading to Deserialization of Untrusted Data. | |||||
| CVE-2020-5664 | 1 Riken | 1 Xoonips | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Deserialization of untrusted data vulnerability in XooNIps 3.49 and earlier allows remote attackers to execute arbitrary code via unspecified vectors. | |||||
| CVE-2020-5413 | 2 Oracle, Vmware | 8 Banking Corporate Lending Process Management, Banking Credit Facilities Process Management, Banking Supply Chain Finance and 5 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Spring Integration framework provides Kryo Codec implementations as an alternative for Java (de)serialization. When Kryo is configured with default options, all unregistered classes are resolved on demand. This leads to the "deserialization gadgets" exploit when provided data contains malicious code for execution during deserialization. In order to protect against this type of attack, Kryo can be configured to require a set of trusted classes for (de)serialization. Spring Integration should be proactive against blocking unknown "deserialization gadgets" when configuring Kryo in code. | |||||
| CVE-2020-5411 | 1 Pivotal Software | 1 Spring Batch | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
| When configured to enable default typing, Jackson contained a deserialization vulnerability that could lead to arbitrary code execution. Jackson fixed this vulnerability by blacklisting known "deserialization gadgets". Spring Batch configures Jackson with global default typing enabled which means that through the previous exploit, arbitrary code could be executed if all of the following is true: * Spring Batch's Jackson support is being leveraged to serialize a job's ExecutionContext. * A malicious user gains write access to the data store used by the JobRepository (where the data to be deserialized is stored). In order to protect against this type of attack, Jackson prevents a set of untrusted gadget classes from being deserialized. Spring Batch should be proactive against blocking unknown "deserialization gadgets" when enabling default typing. | |||||
| CVE-2020-5341 | 1 Dell | 2 Emc Avamar Server, Emc Integrated Data Protection Appliance Firmware | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| Deserialization of Untrusted Data Vulnerability Dell EMC Avamar Server versions 7.4.1, 7.5.0, 7.5.1, 18.2, 19.1 and 19.2 and Dell EMC Integrated Data Protection Appliance versions 2.0, 2.1, 2.2, 2.3, 2.4 and 2.4.1 contain a Deserialization of Untrusted Data Vulnerability. A remote unauthenticated attacker could exploit this vulnerability to send a serialized payload that would execute code on the system. | |||||
| CVE-2020-5327 | 1 Dell | 1 Security Management Server | 2024-11-21 | 9.3 HIGH | 8.1 HIGH |
| Dell Security Management Server versions prior to 10.2.10 contain a Java RMI Deserialization of Untrusted Data vulnerability. When the server is exposed to the internet and Windows Firewall is disabled, a remote unauthenticated attacker may exploit this vulnerability by sending a crafted RMI request to execute arbitrary code on the target host. | |||||
| CVE-2020-4888 | 1 Ibm | 1 Qradar Security Information And Event Manager | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| IBM QRadar SIEM 7.4.0 to 7.4.2 Patch 1 and 7.3.0 to 7.3.3 Patch 7 could allow a remote attacker to execute arbitrary commands on the system, caused by insecure deserialization of user-supplied content by the Java deserialization function. By sending a malicious serialized Java object, an attacker could exploit this vulnerability to execute arbitrary commands on the system. IBM X-Force ID: 190912. | |||||