Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by CWE-502
Total 934 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-4489 1 Pluginus 1 Husky - Products Filter Professional For Woocommerce 2023-02-15 N/A 7.2 HIGH
The HUSKY WordPress plugin before 1.3.2 unserializes user input provided via the settings, which could allow high privilege users such as admin to perform PHP Object Injection when a suitable gadget is present.
CVE-2023-0669 1 Fortra 1 Goanywhere Managed File Transfer 2023-02-15 N/A 7.2 HIGH
Fortra (formerly, HelpSystems) GoAnywhere MFT suffers from a pre-authentication command injection vulnerability in the License Response Servlet due to deserializing an arbitrary attacker-controlled object. This issue was patched in version 7.1.2.
CVE-2023-25135 1 Vbulletin 1 Vbulletin 2023-02-13 N/A 9.8 CRITICAL
vBulletin before 5.6.9 PL1 allows an unauthenticated remote attacker to execute arbitrary code via a crafted HTTP request that triggers deserialization. This occurs because verify_serialized checks that a value is serialized by calling unserialize and then checking for errors. The fixed versions are 5.6.7 PL1, 5.6.8 PL1, and 5.6.9 PL1.
CVE-2016-6330 1 Redhat 1 Jboss Operations Network 2023-02-12 9.0 HIGH 9.8 CRITICAL
The server in Red Hat JBoss Operations Network (JON), when SSL authentication is not configured for JON server / agent communication, allows remote attackers to execute arbitrary code via a crafted HTTP request, related to message deserialization. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-3737.
CVE-2019-10202 1 Redhat 2 Enterprise Linux, Jboss Enterprise Application Platform 2023-02-12 7.5 HIGH 9.8 CRITICAL
A series of deserialization vulnerabilities have been discovered in Codehaus 1.9.x implemented in EAP 7. This CVE fixes CVE-2017-17485, CVE-2017-7525, CVE-2017-15095, CVE-2018-5968, CVE-2018-7489, CVE-2018-1000873, CVE-2019-12086 reported for FasterXML jackson-databind by implementing a whitelist approach that will mitigate these vulnerabilities and future ones alike.
CVE-2016-8653 1 Redhat 2 Jboss A-mq, Jboss Fuse 2023-02-12 5.0 MEDIUM 5.3 MEDIUM
It was found that the JMX endpoint of Red Hat JBoss Fuse 6, and Red Hat A-MQ 6 deserializes the credentials passed to it. An attacker could use this flaw to launch a denial of service attack.
CVE-2016-8648 1 Redhat 2 Jboss A-mq, Jboss Fuse 2023-02-12 6.5 MEDIUM 7.2 HIGH
It was found that the Karaf container used by Red Hat JBoss Fuse 6.x, and Red Hat JBoss A-MQ 6.x, deserializes objects passed to MBeans via JMX operations. An attacker could use this flaw to execute remote code on the server as the user running the Java Virtual Machine if the target MBean contain deserialization gadgets in its classpath.
CVE-2016-4978 2 Apache, Redhat 3 Activemq Artemis, Enterprise Linux Server, Jboss Enterprise Application Platform 2023-02-12 6.0 MEDIUM 7.2 HIGH
The getObject method of the javax.jms.ObjectMessage class in the (1) JMS Core client, (2) Artemis broker, and (3) Artemis REST component in Apache ActiveMQ Artemis before 1.4.0 might allow remote authenticated users with permission to send messages to the Artemis broker to deserialize arbitrary objects and execute arbitrary code by leveraging gadget classes being present on the Artemis classpath.
CVE-2016-5003 1 Apache 1 Ws-xmlrpc 2023-02-12 7.5 HIGH 9.8 CRITICAL
The Apache XML-RPC (aka ws-xmlrpc) library 3.1.3, as used in Apache Archiva, allows remote attackers to execute arbitrary code via a crafted serialized Java object in an <ex:serializable> element.
CVE-2021-25642 1 Apache 1 Hadoop 2023-02-10 N/A 8.8 HIGH
ZKConfigurationStore which is optionally used by CapacityScheduler of Apache Hadoop YARN deserializes data obtained from ZooKeeper without validation. An attacker having access to ZooKeeper can run arbitrary commands as YARN user by exploiting this. Users should upgrade to Apache Hadoop 2.10.2, 3.2.4, 3.3.4 or later (containing YARN-11126) if ZKConfigurationStore is used.
CVE-2023-24997 1 Apache 1 Inlong 2023-02-08 N/A 9.8 CRITICAL
Deserialization of Untrusted Data vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.1.0 through 1.5.0. Users are advised to upgrade to Apache InLong's latest version or cherry-pick to solve it.
CVE-2023-24162 1 Hutool 1 Hutool 2023-02-07 N/A 9.8 CRITICAL
Deserialization vulnerability in Dromara Hutool v5.8.11 allows attacker to execute arbitrary code via the XmlUtil.readObjectFromXml parameter.
CVE-2022-32521 1 Schneider-electric 1 Data Center Expert 2023-02-07 N/A 9.8 CRITICAL
A CWE 502: Deserialization of Untrusted Data vulnerability exists that could allow code to be remotely executed on the server when unsafely deserialized data is posted to the web server. Affected Products: Data Center Expert (Versions prior to V7.9.0)
CVE-2022-44645 1 Apache 1 Linkis 2023-02-07 N/A 8.8 HIGH
In Apache Linkis <=1.3.0 when used with the MySQL Connector/J, a deserialization vulnerability with possible remote code execution impact exists when an attacker has write access to a database and configures new datasource with a MySQL data source and malicious parameters. Therefore, the parameters in the jdbc url should be blacklisted. Versions of Apache Linkis <= 1.3.0 will be affected. We recommend users to upgrade the version of Linkis to version 1.3.1.
CVE-2022-4680 1 Revive 1 Revive Old Posts 2023-02-06 N/A 7.2 HIGH
The Revive Old Posts WordPress plugin before 9.0.11 unserializes user input provided via the settings, which could allow high privilege users such as admin to perform PHP Object Injection when a suitable gadget is present.
CVE-2021-44228 11 Apache, Bentley, Cisco and 8 more 156 Log4j, Synchro, Synchro 4d and 153 more 2023-02-06 9.3 HIGH 10.0 CRITICAL
Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
CVE-2022-46366 1 Apache 1 Tapestry 2023-02-03 N/A 9.8 CRITICAL
** UNSUPPORTED WHEN ASSIGNED ** Apache Tapestry 3.x allows deserialization of untrusted data, leading to remote code execution. This issue is similar to but distinct from CVE-2020-17531, which applies the the (also unsupported) 4.x version line. NOTE: This vulnerability only affects Apache Tapestry version line 3.x, which is no longer supported by the maintainer. Users are recommended to upgrade to a supported version line of Apache Tapestry.
CVE-2019-4279 1 Ibm 1 Websphere Application Server 2023-02-03 10.0 HIGH 9.8 CRITICAL
IBM WebSphere Application Server 8.5 and 9.0 could allow a remote attacker to execute arbitrary code on the system with a specially-crafted sequence of serialized objects from untrusted sources. IBM X-Force ID: 160445.
CVE-2020-17531 1 Apache 1 Tapestry 2023-02-03 7.5 HIGH 9.8 CRITICAL
A Java Serialization vulnerability was found in Apache Tapestry 4. Apache Tapestry 4 will attempt to deserialize the "sp" parameter even before invoking the page's validate method, leading to deserialization without authentication. Apache Tapestry 4 reached end of life in 2008 and no update to address this issue will be released. Apache Tapestry 5 versions are not vulnerable to this issue. Users of Apache Tapestry 4 should upgrade to the latest Apache Tapestry 5 version.
CVE-2022-36944 2 Fedoraproject, Scala-lang 2 Fedora, Scala 2023-02-03 N/A 9.8 CRITICAL
Scala 2.13.x before 2.13.9 has a Java deserialization chain in its JAR file. On its own, it cannot be exploited. There is only a risk in conjunction with Java object deserialization within an application. In such situations, it allows attackers to erase contents of arbitrary files, make network connections, or possibly run arbitrary code (specifically, Function0 functions) via a gadget chain.