Vulnerabilities > Deserialization of Untrusted Data

DATE CVE VULNERABILITY TITLE RISK
2017-07-17 CVE-2016-6793 Deserialization of Untrusted Data vulnerability in Apache Wicket
The DiskFileItem class in Apache Wicket 6.x before 6.25.0 and 1.5.x before 1.5.17 allows remote attackers to cause a denial of service (infinite loop) and write to, move, and delete files with the permissions of DiskFileItem, and if running on a Java VM before 1.3.1, execute arbitrary code via a crafted serialized Java object.
network
low complexity
apache CWE-502
critical
9.1
2017-07-12 CVE-2017-9844 Deserialization of Untrusted Data vulnerability in SAP Netweaver 7400.12.21.30308
SAP NetWeaver 7400.12.21.30308 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted serialized Java object in a request to metadatauploader, aka SAP Security Note 2399804.
network
low complexity
sap CWE-502
critical
9.8
2017-07-10 CVE-2017-11143 Deserialization of Untrusted Data vulnerability in PHP
In PHP before 5.6.31, an invalid free in the WDDX deserialization of boolean parameters could be used by attackers able to inject XML for deserialization to crash the PHP interpreter, related to an invalid free for an empty boolean element in ext/wddx/wddx.c.
network
low complexity
php CWE-502
7.5
2017-07-06 CVE-2016-4000 Deserialization of Untrusted Data vulnerability in multiple products
Jython before 2.7.1rc1 allows attackers to execute arbitrary code via a crafted serialized PyFunction object.
network
low complexity
jython-project debian CWE-502
critical
9.8
2017-07-05 CVE-2017-2295 Deserialization of Untrusted Data vulnerability in multiple products
Versions of Puppet prior to 4.10.1 will deserialize data off the wire (from the agent to the server, in this case) with a attacker-specified format.
network
high complexity
puppet debian CWE-502
8.2
2017-07-04 CVE-2017-10803 Deserialization of Untrusted Data vulnerability in Odoo 10.0/8.0/9.0
In Odoo 8.0, Odoo Community Edition 9.0 and 10.0, and Odoo Enterprise Edition 9.0 and 10.0, insecure handling of anonymization data in the Database Anonymization module allows remote authenticated privileged users to execute arbitrary Python code, because unpickle is used.
local
low complexity
odoo CWE-502
6.5
2017-06-30 CVE-2017-2292 Deserialization of Untrusted Data vulnerability in Puppet Mcollective
Versions of MCollective prior to 2.10.4 deserialized YAML from agents without calling safe_load, allowing the potential for arbitrary code execution on the server.
network
low complexity
puppet CWE-502
critical
9.0
2017-06-27 CVE-2017-9830 Deserialization of Untrusted Data vulnerability in Code42 Crashplan 5.4
Remote Code Execution is possible in Code42 CrashPlan 5.4.x via the org.apache.commons.ssl.rmi.DateRMI Java class, because (upon instantiation) it creates an RMI server that listens on a TCP port and deserializes objects sent by TCP clients.
network
low complexity
code42 CWE-502
critical
9.8
2017-06-22 CVE-2017-9424 Deserialization of Untrusted Data vulnerability in Ideablade Breeze.Server.Net
IdeaBlade Breeze Breeze.Server.NET before 1.6.5 allows remote attackers to execute arbitrary code, related to use of TypeNameHandling in JSON deserialization.
network
low complexity
ideablade CWE-502
critical
9.8
2017-06-08 CVE-2016-7050 Deserialization of Untrusted Data vulnerability in Redhat products
SerializableProvider in RESTEasy in Red Hat Enterprise Linux Desktop 7, Red Hat Enterprise Linux HPC Node 7, Red Hat Enterprise Linux Server 7, and Red Hat Enterprise Linux Workstation 7 allows remote attackers to execute arbitrary code.
network
low complexity
redhat CWE-502
critical
9.8