Total
2270 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2016-8749 | 2 Apache, Redhat | 3 Camel, Jboss Amq, Jboss Fuse | 2025-04-20 | N/A |
| Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks. | ||||
| CVE-2017-0903 | 4 Canonical, Debian, Redhat and 1 more | 11 Ubuntu Linux, Debian Linux, Enterprise Linux and 8 more | 2025-04-20 | N/A |
| RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a possible remote code execution vulnerability. YAML deserialization of gem specifications can bypass class white lists. Specially crafted serialized objects can possibly be used to escalate to remote code execution. | ||||
| CVE-2016-0360 | 1 Ibm | 1 Websphere Mq Jms | 2025-04-20 | N/A |
| IBM Websphere MQ JMS 7.0.1, 7.1, 7.5, 8.0, and 9.0 client provides classes that deserialize objects from untrusted sources which could allow a malicious user to execute arbitrary Java code by adding vulnerable classes to the classpath. IBM Reference #: 1983457. | ||||
| CVE-2017-1000248 | 1 Redis-store | 1 Redis-store | 2025-04-20 | N/A |
| Redis-store <=v1.3.0 allows unsafe objects to be loaded from redis | ||||
| CVE-2017-2295 | 3 Debian, Puppet, Redhat | 4 Debian Linux, Puppet, Satellite and 1 more | 2025-04-20 | N/A |
| Versions of Puppet prior to 4.10.1 will deserialize data off the wire (from the agent to the server, in this case) with a attacker-specified format. This could be used to force YAML deserialization in an unsafe manner, which would lead to remote code execution. This change constrains the format of data on the wire to PSON or safely decoded YAML. | ||||
| CVE-2016-4000 | 2 Debian, Jython Project | 2 Debian Linux, Jython | 2025-04-20 | N/A |
| Jython before 2.7.1rc1 allows attackers to execute arbitrary code via a crafted serialized PyFunction object. | ||||
| CVE-2016-3690 | 1 Redhat | 1 Jboss Enterprise Application Platform | 2025-04-20 | N/A |
| The PooledInvokerServlet in JBoss EAP 4.x and 5.x allows remote attackers to execute arbitrary code via a crafted serialized payload. | ||||
| CVE-2017-5830 | 1 Revive-adserver | 1 Revive Adserver | 2025-04-20 | N/A |
| Revive Adserver before 4.0.1 allows remote attackers to execute arbitrary code via serialized data in the cookies related to the delivery scripts. | ||||
| CVE-2014-9515 | 1 Dozer Project | 1 Dozer | 2025-04-20 | 9.8 Critical |
| Dozer improperly uses a reflection-based approach to type conversion, which might allow remote attackers to execute arbitrary code via a crafted serialized object. | ||||
| CVE-2017-8804 | 1 Gnu | 1 Glibc | 2025-04-20 | N/A |
| The xdr_bytes and xdr_string functions in the GNU C Library (aka glibc or libc6) 2.25 mishandle failures of buffer deserialization, which allows remote attackers to cause a denial of service (virtual memory allocation, or memory consumption if an overcommit setting is not used) via a crafted UDP packet to port 111, a related issue to CVE-2017-8779. NOTE: [Information provided from upstream and references | ||||
| CVE-2016-8736 | 1 Apache | 1 Openmeetings | 2025-04-20 | N/A |
| Apache OpenMeetings before 3.1.2 is vulnerable to Remote Code Execution via RMI deserialization attack. | ||||
| CVE-2017-9424 | 1 Ideablade | 1 Breeze.server.net | 2025-04-20 | N/A |
| IdeaBlade Breeze Breeze.Server.NET before 1.6.5 allows remote attackers to execute arbitrary code, related to use of TypeNameHandling in JSON deserialization. | ||||
| CVE-2017-9363 | 1 Soffid | 1 Iam | 2025-04-20 | N/A |
| Untrusted Java serialization in Soffid IAM console before 1.7.5 allows remote attackers to achieve arbitrary remote code execution via a crafted authentication request. | ||||
| CVE-2017-8829 | 1 Debian | 1 Lintian | 2025-04-20 | N/A |
| Deserialization vulnerability in lintian through 2.5.50.3 allows attackers to trigger code execution by requesting a review of a source package with a crafted YAML file. | ||||
| CVE-2016-6793 | 1 Apache | 1 Wicket | 2025-04-20 | N/A |
| The DiskFileItem class in Apache Wicket 6.x before 6.25.0 and 1.5.x before 1.5.17 allows remote attackers to cause a denial of service (infinite loop) and write to, move, and delete files with the permissions of DiskFileItem, and if running on a Java VM before 1.3.1, execute arbitrary code via a crafted serialized Java object. | ||||
| CVE-2017-5983 | 1 Atlassian | 1 Jira | 2025-04-20 | N/A |
| The JIRA Workflow Designer Plugin in Atlassian JIRA Server before 6.3.0 improperly uses an XML parser and deserializer, which allows remote attackers to execute arbitrary code, read arbitrary files, or cause a denial of service via a crafted serialized Java object. | ||||
| CVE-2017-4914 | 1 Vmware | 1 Vsphere Data Protection | 2025-04-20 | N/A |
| VMware vSphere Data Protection (VDP) 6.1.x, 6.0.x, 5.8.x, and 5.5.x contains a deserialization issue. Exploitation of this issue may allow a remote attacker to execute commands on the appliance. | ||||
| CVE-2017-5645 | 4 Apache, Netapp, Oracle and 1 more | 86 Log4j, Oncommand Api Services, Oncommand Insight and 83 more | 2025-04-20 | 9.8 Critical |
| In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code. | ||||
| CVE-2017-14035 | 1 Crushftp | 1 Crushftp | 2025-04-20 | N/A |
| CrushFTP 8.x before 8.2.0 has a serialization vulnerability. | ||||
| CVE-2017-10932 | 1 Zte | 12 Nr8000tr, Nr8000tr Firmware, Nr8120 and 9 more | 2025-04-20 | 9.8 Critical |
| All versions prior to V12.17.20 of the ZTE Microwave NR8000 series products - NR8120, NR8120A, NR8120, NR8150, NR8250, NR8000 TR and NR8950 are the applications of C/S architecture using the Java RMI service in which the servers use the Apache Commons Collections (ACC) library that may result in Java deserialization vulnerabilities. An unauthenticated remote attacker can exploit the vulnerabilities by sending a crafted RMI request to execute arbitrary code on the target host. | ||||