Vulnerabilities > Deserialization of Untrusted Data

DATE CVE VULNERABILITY TITLE RISK
2018-01-25 CVE-2017-15703 Deserialization of Untrusted Data vulnerability in Apache Nifi
Any authenticated user (valid client certificate but without ACL permissions) could upload a template which contained malicious code and caused a denial of service via Java deserialization attack.
local
low complexity
apache CWE-502
5.0
2018-01-25 CVE-2018-1051 Deserialization of Untrusted Data vulnerability in Redhat Resteasy 3.0.22/3.1.2
It was found that the fix for CVE-2016-9606 in versions 3.0.22 and 3.1.2 was incomplete and Yaml unmarshalling in Resteasy is still possible via `Yaml.load()` in YamlProvider.
network
high complexity
redhat CWE-502
8.1
2018-01-23 CVE-2017-17406 Deserialization of Untrusted Data vulnerability in Netgain-Systems Enterprise Manager 7.2.699/7.2.730
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Netgain Enterprise Manager.
network
low complexity
netgain-systems CWE-502
critical
9.8
2018-01-22 CVE-2018-5968 Deserialization of Untrusted Data vulnerability in multiple products
FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws.
network
high complexity
fasterxml debian redhat netapp CWE-502
8.1
2018-01-18 CVE-2016-6814 Deserialization of Untrusted Data vulnerability in multiple products
When an application with unsupported Codehaus versions of Groovy from 1.7.0 to 2.4.3, Apache Groovy 2.4.4 to 2.4.7 on classpath uses standard Java serialization mechanisms, e.g.
network
low complexity
apache redhat CWE-502
critical
9.8
2018-01-10 CVE-2017-17485 Deserialization of Untrusted Data vulnerability in multiple products
FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw.
network
low complexity
fasterxml debian redhat netapp CWE-502
critical
9.8
2017-12-29 CVE-2014-9515 Deserialization of Untrusted Data vulnerability in Dozer Project Dozer
Dozer improperly uses a reflection-based approach to type conversion, which might allow remote attackers to execute arbitrary code via a crafted serialized object.
network
low complexity
dozer-project CWE-502
critical
9.8
2017-12-28 CVE-2017-5641 Deserialization of Untrusted Data vulnerability in multiple products
Previous versions of Apache Flex BlazeDS (4.7.2 and earlier) did not restrict which types were allowed for AMF(X) object deserialization by default.
network
low complexity
apache hp CWE-502
critical
9.8
2017-12-14 CVE-2017-17672 Deserialization of Untrusted Data vulnerability in Vbulletin
In vBulletin through 5.3.x, there is an unauthenticated deserialization vulnerability that leads to arbitrary file deletion and, under certain circumstances, code execution, because of unsafe usage of PHP's unserialize() in vB_Library_Template's cacheTemplates() function, which is a publicly exposed API.
network
low complexity
vbulletin CWE-502
critical
9.8
2017-12-01 CVE-2017-11284 Deserialization of Untrusted Data vulnerability in Adobe Coldfusion 11.0/2016
Adobe ColdFusion has an Untrusted Data Deserialization vulnerability.
network
low complexity
adobe CWE-502
critical
9.8