Vulnerabilities > Deserialization of Untrusted Data

DATE CVE VULNERABILITY TITLE RISK
2017-05-19 CVE-2017-7504 Deserialization of Untrusted Data vulnerability in Redhat Jboss Enterprise Application Platform
HTTPServerILServlet.java in JMS over HTTP Invocation Layer of the JbossMQ implementation, which is enabled by default in Red Hat Jboss Application Server <= Jboss 4.X does not restrict the classes for which it performs deserialization, which allows remote attackers to execute arbitrary code via crafted serialized data.
network
low complexity
redhat CWE-502
critical
9.8
2017-05-08 CVE-2017-8829 Deserialization of Untrusted Data vulnerability in Debian Lintian
Deserialization vulnerability in lintian through 2.5.50.3 allows attackers to trigger code execution by requesting a review of a source package with a crafted YAML file.
local
low complexity
debian CWE-502
7.8
2017-05-07 CVE-2017-8804 Deserialization of Untrusted Data vulnerability in GNU Glibc 2.25
The xdr_bytes and xdr_string functions in the GNU C Library (aka glibc or libc6) 2.25 mishandle failures of buffer deserialization, which allows remote attackers to cause a denial of service (virtual memory allocation, or memory consumption if an overcommit setting is not used) via a crafted UDP packet to port 111, a related issue to CVE-2017-8779.
network
low complexity
gnu CWE-502
7.5
2017-04-27 CVE-2017-3066 Deserialization of Untrusted Data vulnerability in Adobe Coldfusion 10.0/11.0/2016
Adobe ColdFusion 2016 Update 3 and earlier, ColdFusion 11 update 11 and earlier, ColdFusion 10 Update 22 and earlier have a Java deserialization vulnerability in the Apache BlazeDS library.
network
low complexity
adobe CWE-502
critical
9.8
2017-04-26 CVE-2017-7293 Deserialization of Untrusted Data vulnerability in Dolby Audio X2 and Dolby Audio X3
The Dolby DAX2 and DAX3 API services are vulnerable to a privilege escalation vulnerability that allows a normal user to get arbitrary system privileges, because these services have .NET code for DCOM.
local
low complexity
dolby CWE-502
7.8
2017-04-17 CVE-2017-5645 Deserialization of Untrusted Data vulnerability in multiple products
In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.
network
low complexity
apache netapp redhat oracle CWE-502
critical
9.8
2017-04-11 CVE-2016-4483 Deserialization of Untrusted Data vulnerability in multiple products
The xmlBufAttrSerializeTxtContent function in xmlsave.c in libxml2 allows context-dependent attackers to cause a denial of service (out-of-bounds read and application crash) via a non-UTF-8 attribute value, related to serialization.
network
low complexity
xmlsoft debian oracle CWE-502
7.5
2017-04-11 CVE-2016-0779 Deserialization of Untrusted Data vulnerability in Apache Tomee
The EjbObjectInputStream class in Apache TomEE before 1.7.4 and 7.x before 7.0.0-M3 allows remote attackers to execute arbitrary code via a crafted serialized object.
network
low complexity
apache CWE-502
critical
9.8
2017-04-10 CVE-2017-5983 Deserialization of Untrusted Data vulnerability in Atlassian Jira
The JIRA Workflow Designer Plugin in Atlassian JIRA Server before 6.3.0 improperly uses an XML parser and deserializer, which allows remote attackers to execute arbitrary code, read arbitrary files, or cause a denial of service via a crafted serialized Java object.
network
low complexity
atlassian CWE-502
critical
9.8
2017-04-10 CVE-2016-10304 Deserialization of Untrusted Data vulnerability in SAP Netweaver Application Server Java 7.50
The SAP EP-RUNTIME component in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to cause a denial of service (out-of-memory error and service instability) via a crafted serialized Java object, as demonstrated by serial.cc3, aka SAP Security Note 2315788.
network
low complexity
sap CWE-502
6.5