Vulnerabilities > Deserialization of Untrusted Data

DATE CVE VULNERABILITY TITLE RISK
2020-03-02 CVE-2020-9547 Deserialization of Untrusted Data vulnerability in multiple products
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap).
network
low complexity
fasterxml netapp debian oracle CWE-502
critical
9.8
2020-03-02 CVE-2020-9546 Deserialization of Untrusted Data vulnerability in multiple products
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config).
network
low complexity
fasterxml netapp debian oracle CWE-502
critical
9.8
2020-02-27 CVE-2019-5326 Deserialization of Untrusted Data vulnerability in Arubanetworks Airwave
An administrative application user of or application user with write access to Aruba Airwave VisualRF is able to obtain code execution on the AMP platform.
network
low complexity
arubanetworks CWE-502
7.2
2020-02-19 CVE-2020-8441 Deserialization of Untrusted Data vulnerability in Jyaml Project Jyaml
JYaml through 1.3 allows remote code execution during deserialization of a malicious payload through the load() function.
network
low complexity
jyaml-project CWE-502
critical
9.8
2020-02-19 CVE-2019-20477 Deserialization of Untrusted Data vulnerability in multiple products
PyYAML 5.1 through 5.1.2 has insufficient restrictions on the load and load_all functions because of a class deserialization issue, e.g., Popen is a class in the subprocess module.
network
low complexity
pyyaml fedoraproject CWE-502
critical
9.8
2020-02-17 CVE-2020-9006 Deserialization of Untrusted Data vulnerability in Sygnoos Popup Builder
The Popup Builder plugin 2.2.8 through 2.6.7.6 for WordPress is vulnerable to SQL injection (in the sgImportPopups function in sg_popup_ajax.php) via PHP Deserialization on attacker-controlled data with the attachmentUrl POST variable.
network
low complexity
sygnoos CWE-502
critical
9.8
2020-02-13 CVE-2020-8801 Deserialization of Untrusted Data vulnerability in Salesagility Suitecrm
SuiteCRM through 7.11.11 allows PHAR Deserialization.
network
low complexity
salesagility CWE-502
7.2
2020-02-12 CVE-2020-2123 Deserialization of Untrusted Data vulnerability in Jenkins Radargun
Jenkins RadarGun Plugin 1.7 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.
network
low complexity
jenkins CWE-502
8.8
2020-02-11 CVE-2020-0618 Deserialization of Untrusted Data vulnerability in Microsoft SQL Server 2012/2014/2016
A remote code execution vulnerability exists in Microsoft SQL Server Reporting Services when it incorrectly handles page requests, aka 'Microsoft SQL Server Reporting Services Remote Code Execution Vulnerability'.
network
low complexity
microsoft CWE-502
8.8
2020-02-10 CVE-2020-8840 Deserialization of Untrusted Data vulnerability in multiple products
FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.
network
low complexity
fasterxml debian netapp huawei oracle CWE-502
critical
9.8