Vulnerabilities > Deserialization of Untrusted Data
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2018-02-06 | CVE-2016-3957 | Deserialization of Untrusted Data vulnerability in Web2Py The secure_load function in gluon/utils.py in web2py before 2.14.2 uses pickle.loads to deserialize session information stored in cookies, which might allow remote attackers to execute arbitrary code by leveraging knowledge of encryption_key. | 9.8 |
| 2018-02-06 | CVE-2017-15095 | Deserialization of Untrusted Data vulnerability in multiple products A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. | 9.8 |
| 2018-01-29 | CVE-2017-1000355 | Deserialization of Untrusted Data vulnerability in Jenkins Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an XStream: Java crash when trying to instantiate void/Void. | 6.5 |
| 2018-01-29 | CVE-2017-1000353 | Deserialization of Untrusted Data vulnerability in multiple products Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated remote code execution. | 9.8 |
| 2018-01-29 | CVE-2017-4947 | Deserialization of Untrusted Data vulnerability in VMWare Vrealize Automation and Vsphere Integrated Containers VMware vRealize Automation (7.3 and 7.2) and vSphere Integrated Containers (1.x before 1.3) contain a deserialization vulnerability via Xenon. | 9.8 |
| 2018-01-25 | CVE-2017-15703 | Deserialization of Untrusted Data vulnerability in Apache Nifi Any authenticated user (valid client certificate but without ACL permissions) could upload a template which contained malicious code and caused a denial of service via Java deserialization attack. | 5.0 |
| 2018-01-25 | CVE-2018-1051 | Deserialization of Untrusted Data vulnerability in Redhat Resteasy 3.0.22/3.1.2 It was found that the fix for CVE-2016-9606 in versions 3.0.22 and 3.1.2 was incomplete and Yaml unmarshalling in Resteasy is still possible via `Yaml.load()` in YamlProvider. | 8.1 |
| 2018-01-23 | CVE-2017-17406 | Deserialization of Untrusted Data vulnerability in Netgain-Systems Enterprise Manager 7.2.699/7.2.730 This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Netgain Enterprise Manager. | 9.8 |
| 2018-01-22 | CVE-2018-5968 | Deserialization of Untrusted Data vulnerability in multiple products FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. | 8.1 |
| 2018-01-18 | CVE-2016-6814 | Deserialization of Untrusted Data vulnerability in multiple products When an application with unsupported Codehaus versions of Groovy from 1.7.0 to 2.4.3, Apache Groovy 2.4.4 to 2.4.7 on classpath uses standard Java serialization mechanisms, e.g. | 9.8 |