Vulnerabilities > Deserialization of Untrusted Data
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2018-01-25 | CVE-2017-15703 | Deserialization of Untrusted Data vulnerability in Apache Nifi Any authenticated user (valid client certificate but without ACL permissions) could upload a template which contained malicious code and caused a denial of service via Java deserialization attack. | 5.0 |
2018-01-25 | CVE-2018-1051 | Deserialization of Untrusted Data vulnerability in Redhat Resteasy 3.0.22/3.1.2 It was found that the fix for CVE-2016-9606 in versions 3.0.22 and 3.1.2 was incomplete and Yaml unmarshalling in Resteasy is still possible via `Yaml.load()` in YamlProvider. | 8.1 |
2018-01-23 | CVE-2017-17406 | Deserialization of Untrusted Data vulnerability in Netgain-Systems Enterprise Manager 7.2.699/7.2.730 This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Netgain Enterprise Manager. | 9.8 |
2018-01-22 | CVE-2018-5968 | Deserialization of Untrusted Data vulnerability in multiple products FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. | 8.1 |
2018-01-18 | CVE-2016-6814 | Deserialization of Untrusted Data vulnerability in multiple products When an application with unsupported Codehaus versions of Groovy from 1.7.0 to 2.4.3, Apache Groovy 2.4.4 to 2.4.7 on classpath uses standard Java serialization mechanisms, e.g. | 9.8 |
2018-01-10 | CVE-2017-17485 | Deserialization of Untrusted Data vulnerability in multiple products FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. | 9.8 |
2017-12-29 | CVE-2014-9515 | Deserialization of Untrusted Data vulnerability in Dozer Project Dozer Dozer improperly uses a reflection-based approach to type conversion, which might allow remote attackers to execute arbitrary code via a crafted serialized object. | 9.8 |
2017-12-28 | CVE-2017-5641 | Deserialization of Untrusted Data vulnerability in multiple products Previous versions of Apache Flex BlazeDS (4.7.2 and earlier) did not restrict which types were allowed for AMF(X) object deserialization by default. | 9.8 |
2017-12-14 | CVE-2017-17672 | Deserialization of Untrusted Data vulnerability in Vbulletin In vBulletin through 5.3.x, there is an unauthenticated deserialization vulnerability that leads to arbitrary file deletion and, under certain circumstances, code execution, because of unsafe usage of PHP's unserialize() in vB_Library_Template's cacheTemplates() function, which is a publicly exposed API. | 9.8 |
2017-12-01 | CVE-2017-11284 | Deserialization of Untrusted Data vulnerability in Adobe Coldfusion 11.0/2016 Adobe ColdFusion has an Untrusted Data Deserialization vulnerability. | 9.8 |