Total
1747 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2018-15957 | 1 Adobe | 1 Coldfusion | 2024-11-21 | N/A |
| Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 and earlier, and Update 14 and earlier have a deserialization of untrusted data vulnerability. Successful exploitation could lead to arbitrary code execution. | ||||
| CVE-2018-15890 | 1 Ethereum | 1 Ethereumj | 2024-11-21 | N/A |
| An issue was discovered in EthereumJ 1.8.2. There is Unsafe Deserialization in ois.readObject in mine/Ethash.java and decoder.readObject in crypto/ECKey.java. When a node syncs and mines a new block, arbitrary OS commands can be run on the server. | ||||
| CVE-2018-15691 | 1 Broadcom | 1 Release Automation | 2024-11-21 | N/A |
| Insecure deserialization of a specially crafted serialized object, in CA Release Automation 6.5 and earlier, allows attackers to potentially execute arbitrary code. | ||||
| CVE-2018-15686 | 5 Canonical, Debian, Oracle and 2 more | 10 Ubuntu Linux, Debian Linux, Communications Cloud Native Core Network Function Cloud Native Environment and 7 more | 2024-11-21 | 7.8 High |
| A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. Affected releases are systemd versions up to and including 239. | ||||
| CVE-2018-15616 | 1 Avaya | 1 Avaya Aura System Platform | 2024-11-21 | N/A |
| A vulnerability in the Web UI component of Avaya Aura System Platform could allow a remote, unauthenticated user to perform a targeted deserialization attack that could result in remote code execution. Affected versions of System Platform includes 6.3.0 through 6.3.9 and 6.4.0 through 6.4.2. | ||||
| CVE-2018-15576 | 1 Hazzardweb | 1 Easylogin Pro | 2024-11-21 | N/A |
| An issue was discovered in EasyLogin Pro through 1.3.0. Encryptor.php contains an unserialize call that can be exploited for remote code execution in the decrypt function, if the attacker knows the key. | ||||
| CVE-2018-15514 | 1 Docker | 1 Docker | 2024-11-21 | N/A |
| HandleRequestAsync in Docker for Windows before 18.06.0-ce-rc3-win68 (edge) and before 18.06.0-ce-win72 (stable) deserialized requests over the \\.\pipe\dockerBackend named pipe without verifying the validity of the deserialized .NET objects. This would allow a malicious user in the "docker-users" group (who may not otherwise have administrator access) to escalate to administrator privileges. | ||||
| CVE-2018-15503 | 1 Swoole | 1 Swoole | 2024-11-21 | N/A |
| The unpack implementation in Swoole version 4.0.4 lacks correct size checks in the deserialization process. An attacker can craft a serialized object to exploit this vulnerability and cause a SEGV. | ||||
| CVE-2018-14878 | 1 Jetbrains | 2 Dotpeek, Resharper Ultimate | 2024-11-21 | N/A |
| JetBrains dotPeek before 2018.2 and ReSharper Ultimate before 2018.1.4 allow attackers to execute code by decompiling a compiled .NET object (such as a DLL or EXE file) with a specific file, because of Deserialization of Untrusted Data. | ||||
| CVE-2018-14720 | 4 Debian, Fasterxml, Oracle and 1 more | 21 Debian Linux, Jackson-databind, Banking Platform and 18 more | 2024-11-21 | N/A |
| FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization. | ||||
| CVE-2018-14719 | 5 Debian, Fasterxml, Netapp and 2 more | 31 Debian Linux, Jackson-databind, Oncommand Workflow Automation and 28 more | 2024-11-21 | 9.8 Critical |
| FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization. | ||||
| CVE-2018-14718 | 5 Debian, Fasterxml, Netapp and 2 more | 36 Debian Linux, Jackson-databind, Oncommand Workflow Automation and 33 more | 2024-11-21 | 9.8 Critical |
| FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization. | ||||
| CVE-2018-14572 | 1 Pyconuk | 1 Conference-scheduler-cli | 2024-11-21 | N/A |
| In conference-scheduler-cli, a pickle.load call on imported data allows remote attackers to execute arbitrary code via a crafted .pickle file, as demonstrated by Python code that contains an os.system call. | ||||
| CVE-2018-12680 | 1 Coapthon Project | 1 Coapthon | 2024-11-21 | N/A |
| The Serialize.deserialize() method in CoAPthon 3.1, 4.0.0, 4.0.1, and 4.0.2 mishandles certain exceptions, leading to a denial of service in applications that use this library (e.g., the standard CoAP server, CoAP client, CoAP reverse proxy, example collect CoAP server and client) when they receive crafted CoAP messages. | ||||
| CVE-2018-12679 | 1 Coapthon3 Project | 1 Coapthon3 | 2024-11-21 | N/A |
| The Serialize.deserialize() method in CoAPthon3 1.0 and 1.0.1 mishandles certain exceptions, leading to a denial of service in applications that use this library (e.g., the standard CoAP server, CoAP client, example collect CoAP server and client) when they receive crafted CoAP messages. | ||||
| CVE-2018-12539 | 3 Eclipse, Oracle, Redhat | 4 Openj9, Enterprise Manager Base Platform, Network Satellite and 1 more | 2024-11-21 | N/A |
| In Eclipse OpenJ9 version 0.8, users other than the process owner may be able to use Java Attach API to connect to an Eclipse OpenJ9 or IBM JVM on the same machine and use Attach API operations, which includes the ability to execute untrusted native code. Attach API is enabled by default on Windows, Linux and AIX JVMs and can be disabled using the command line option -Dcom.ibm.tools.attach.enable=no. | ||||
| CVE-2018-12023 | 5 Debian, Fasterxml, Fedoraproject and 2 more | 20 Debian Linux, Jackson-databind, Fedora and 17 more | 2024-11-21 | N/A |
| An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload. | ||||
| CVE-2018-12022 | 5 Debian, Fasterxml, Fedoraproject and 2 more | 20 Debian Linux, Jackson-databind, Fedora and 17 more | 2024-11-21 | 7.5 High |
| An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload. | ||||
| CVE-2018-11779 | 1 Apache | 1 Storm | 2024-11-21 | N/A |
| In Apache Storm versions 1.1.0 to 1.2.2, when the user is using the storm-kafka-client or storm-kafka modules, it is possible to cause the Storm UI daemon to deserialize user provided bytes into a Java class. | ||||
| CVE-2018-11569 | 1 Eventum Project | 1 Eventum | 2024-11-21 | N/A |
| Controller/ListController.php in Eventum 3.5.0 is vulnerable to Deserialization of Untrusted Data. Fixed in version 3.5.2. | ||||