Vulnerabilities > Deserialization of Untrusted Data

DATE CVE VULNERABILITY TITLE RISK
2018-02-09 CVE-2018-1000058 Deserialization of Untrusted Data vulnerability in Jenkins Pipeline Supporting Apis 2.15/2.16/2.17
Jenkins Pipeline: Supporting APIs Plugin 2.17 and earlier have an arbitrary code execution due to incomplete sandbox protection: Methods related to Java deserialization like readResolve implemented in Pipeline scripts were not subject to sandbox protection, and could therefore execute arbitrary code.
network
low complexity
jenkins CWE-502
8.8
2018-02-09 CVE-2018-1000048 Deserialization of Untrusted Data vulnerability in Nasa Rtretrievalframework 1.0
NASA RtRetrievalFramework version v1.0 contains a CWE-502 vulnerability in Data retrieval functionality of RtRetrieval framework that can result in remote code execution.
network
low complexity
nasa CWE-502
8.8
2018-02-09 CVE-2018-1000047 Deserialization of Untrusted Data vulnerability in Nasa Kodiak 1.0
NASA Kodiak version v1.0 contains a CWE-502 vulnerability in Kodiak library's data processing function that can result in remote code execution.
network
low complexity
nasa CWE-502
8.8
2018-02-09 CVE-2018-1000046 Deserialization of Untrusted Data vulnerability in Nasa Pyblock 1.0/1.3
NASA Pyblock version v1.0 - v1.3 contains a CWE-502 vulnerability in Radar data parsing library that can result in remote code execution.
local
low complexity
nasa CWE-502
7.8
2018-02-09 CVE-2018-1000045 Deserialization of Untrusted Data vulnerability in Nasa Singledop 1.0
NASA Singledop version v1.0 contains a CWE-502 vulnerability in NASA Singledop library (Weather data) that can result in remote code execution.
local
low complexity
nasa CWE-502
7.8
2018-02-06 CVE-2016-3957 Deserialization of Untrusted Data vulnerability in Web2Py
The secure_load function in gluon/utils.py in web2py before 2.14.2 uses pickle.loads to deserialize session information stored in cookies, which might allow remote attackers to execute arbitrary code by leveraging knowledge of encryption_key.
network
low complexity
web2py CWE-502
critical
9.8
2018-02-06 CVE-2017-15095 Deserialization of Untrusted Data vulnerability in multiple products
A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.
network
low complexity
fasterxml debian redhat netapp oracle CWE-502
critical
9.8
2018-01-29 CVE-2017-1000355 Deserialization of Untrusted Data vulnerability in Jenkins
Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an XStream: Java crash when trying to instantiate void/Void.
network
low complexity
jenkins CWE-502
6.5
2018-01-29 CVE-2017-1000353 Deserialization of Untrusted Data vulnerability in multiple products
Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated remote code execution.
network
low complexity
jenkins oracle CWE-502
critical
9.8
2018-01-29 CVE-2017-4947 Deserialization of Untrusted Data vulnerability in VMWare Vrealize Automation and Vsphere Integrated Containers
VMware vRealize Automation (7.3 and 7.2) and vSphere Integrated Containers (1.x before 1.3) contain a deserialization vulnerability via Xenon.
network
low complexity
vmware CWE-502
critical
9.8