Total
934 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2023-26234 | 1 Jd-gui Project | 1 Jd-gui | 2023-03-02 | N/A | 9.8 CRITICAL |
JD-GUI 1.6.6 allows deserialization via UIMainWindowPreferencesProvider.singleInstance. | |||||
CVE-2022-39379 | 2 Fedoraproject, Fluentd | 2 Fedora, Fluentd | 2023-03-01 | N/A | 9.8 CRITICAL |
Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. A remote code execution (RCE) vulnerability in non-default configurations of Fluentd allows unauthenticated attackers to execute arbitrary code via specially crafted JSON payloads. Fluentd setups are only affected if the environment variable `FLUENT_OJ_OPTION_MODE` is explicitly set to `object`. Please note: The option FLUENT_OJ_OPTION_MODE was introduced in Fluentd version 1.13.2. Earlier versions of Fluentd are not affected by this vulnerability. This issue was patched in version 1.15.3. As a workaround do not use `FLUENT_OJ_OPTION_MODE=object`. | |||||
CVE-2019-12747 | 1 Typo3 | 1 Typo3 | 2023-03-01 | 6.5 MEDIUM | 8.8 HIGH |
TYPO3 8.x through 8.7.26 and 9.x through 9.5.7 allows Deserialization of Untrusted Data. | |||||
CVE-2019-14439 | 6 Apache, Debian, Fasterxml and 3 more | 18 Drill, Debian Linux, Jackson-databind and 15 more | 2023-02-28 | 5.0 MEDIUM | 7.5 HIGH |
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath. | |||||
CVE-2022-47986 | 3 Ibm, Linux, Microsoft | 3 Aspera Faspex, Linux Kernel, Windows | 2023-02-28 | N/A | 9.8 CRITICAL |
IBM Aspera Faspex 4.4.2 Patch Level 1 and earlier could allow a remote attacker to execute arbitrary code on the system, caused by a YAML deserialization flaw. By sending a specially crafted obsolete API call, an attacker could exploit this vulnerability to execute arbitrary code on the system. The obsolete API call was removed in Faspex 4.4.2 PL2. IBM X-Force ID: 243512. | |||||
CVE-2023-0232 | 1 Hasthemes | 1 Shoplentor | 2023-02-27 | N/A | 9.8 CRITICAL |
The ShopLentor WordPress plugin before 2.5.4 unserializes user input from cookies in order to track viewed products and user data, which could lead to PHP Object Injection. | |||||
CVE-2021-42392 | 3 Debian, H2database, Oracle | 3 Debian Linux, H2, Communications Cloud Native Core Policy | 2023-02-24 | 10.0 HIGH | 9.8 CRITICAL |
The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database. An attacker may pass a JNDI driver name and a URL leading to a LDAP or RMI servers, causing remote code execution. This can be exploited through various attack vectors, most notably through the H2 Console which leads to unauthenticated remote code execution. | |||||
CVE-2022-47507 | 1 Solarwinds | 1 Orion Platform | 2023-02-24 | N/A | 7.2 HIGH |
SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands. | |||||
CVE-2022-38111 | 1 Solarwinds | 1 Orion Platform | 2023-02-24 | N/A | 7.2 HIGH |
SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands. | |||||
CVE-2022-47504 | 1 Solarwinds | 1 Orion Platform | 2023-02-24 | N/A | 7.2 HIGH |
SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands. | |||||
CVE-2022-47503 | 1 Solarwinds | 1 Orion Platform | 2023-02-24 | N/A | 7.2 HIGH |
SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands. | |||||
CVE-2023-23836 | 1 Solarwinds | 1 Orion Platform | 2023-02-24 | N/A | 7.2 HIGH |
SolarWinds Platform version 2022.4.1 was found to be susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to the SolarWinds Web Console to execute arbitrary commands. | |||||
CVE-2022-23302 | 5 Apache, Broadcom, Netapp and 2 more | 26 Log4j, Brocade Sannav, Snapmanager and 23 more | 2023-02-24 | 6.0 MEDIUM | 8.8 HIGH |
JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions. | |||||
CVE-2022-23307 | 3 Apache, Oracle, Qos | 26 Chainsaw, Log4j, Advanced Supply Chain Planning and 23 more | 2023-02-24 | 9.0 HIGH | 8.8 HIGH |
CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists. | |||||
CVE-2019-16891 | 1 Liferay | 1 Liferay Portal | 2023-02-23 | 7.5 HIGH | 9.8 CRITICAL |
Liferay Portal CE 6.2.5 allows remote command execution because of deserialization of a JSON payload. | |||||
CVE-2022-25845 | 2 Alibaba, Oracle | 2 Fastjson, Communications Cloud Native Core Unified Data Repository | 2023-02-23 | 6.8 MEDIUM | 9.8 CRITICAL |
The package com.alibaba:fastjson before 1.2.83 are vulnerable to Deserialization of Untrusted Data by bypassing the default autoType shutdown restrictions, which is possible under certain conditions. Exploiting this vulnerability allows attacking remote servers. Workaround: If upgrading is not possible, you can enable [safeMode](https://github.com/alibaba/fastjson/wiki/fastjson_safemode). | |||||
CVE-2021-36981 | 1 Sernet | 1 Verinice | 2023-02-22 | 9.0 HIGH | 8.8 HIGH |
In the server in SerNet verinice before 1.22.2, insecure Java deserialization allows remote authenticated attackers to execute arbitrary code. | |||||
CVE-2023-25558 | 1 Datahub Project | 1 Datahub | 2023-02-21 | N/A | 8.8 HIGH |
DataHub is an open-source metadata platform. When the DataHub frontend is configured to authenticate via SSO, it will leverage the pac4j library. The processing of the `id_token` is done in an unsafe manner which is not properly accounted for by the DataHub frontend. Specifically, if any of the id_token claims value start with the {#sb64} prefix, pac4j considers the value to be a serialized Java object and will deserialize it. This issue may lead to Remote Code Execution (RCE) in the worst case. Although a `RestrictedObjectInputStream` is in place, that puts some restriction on what classes can be deserialized, it still allows a broad range of java packages and potentially exploitable with different gadget chains. Users are advised to upgrade. There are no known workarounds. This vulnerability was discovered and reported by the GitHub Security lab and is tracked as GHSL-2022-086. | |||||
CVE-2022-45982 | 1 Thinkphp | 1 Thinkphp | 2023-02-16 | N/A | 9.8 CRITICAL |
thinkphp 6.0.0~6.0.13 and 6.1.0~6.1.1 contains a deserialization vulnerability. This vulnerability allows attackers to execute arbitrary code via a crafted payload. | |||||
CVE-2023-25194 | 1 Apache | 1 Kafka | 2023-02-16 | N/A | 8.8 HIGH |
A possible security vulnerability has been identified in Apache Kafka Connect. This requires access to a Kafka Connect worker, and the ability to create/modify connectors on it with an arbitrary Kafka client SASL JAAS config and a SASL-based security protocol, which has been possible on Kafka Connect clusters since Apache Kafka 2.3.0. When configuring the connector via the Kafka Connect REST API, an authenticated operator can set the `sasl.jaas.config` property for any of the connector's Kafka clients to "com.sun.security.auth.module.JndiLoginModule", which can be done via the `producer.override.sasl.jaas.config`, `consumer.override.sasl.jaas.config`, or `admin.override.sasl.jaas.config` properties. This will allow the server to connect to the attacker's LDAP server and deserialize the LDAP response, which the attacker can use to execute java deserialization gadget chains on the Kafka connect server. Attacker can cause unrestricted deserialization of untrusted data (or) RCE vulnerability when there are gadgets in the classpath. Since Apache Kafka 3.0.0, users are allowed to specify these properties in connector configurations for Kafka Connect clusters running with out-of-the-box configurations. Before Apache Kafka 3.0.0, users may not specify these properties unless the Kafka Connect cluster has been reconfigured with a connector client override policy that permits them. Since Apache Kafka 3.4.0, we have added a system property ("-Dorg.apache.kafka.disallowed.login.modules") to disable the problematic login modules usage in SASL JAAS configuration. Also by default "com.sun.security.auth.module.JndiLoginModule" is disabled in Apache Kafka 3.4.0. We advise the Kafka Connect users to validate connector configurations and only allow trusted JNDI configurations. Also examine connector dependencies for vulnerable versions and either upgrade their connectors, upgrading that specific dependency, or removing the connectors as options for remediation. Finally, in addition to leveraging the "org.apache.kafka.disallowed.login.modules" system property, Kafka Connect users can also implement their own connector client config override policy, which can be used to control which Kafka client properties can be overridden directly in a connector config and which cannot. |