CVE & Exploit Intelligence Database

CVE-2015-2020 9.8 CRITICAL EPSS 0.01

The MyScript SDK before 1.3 for Android might allow attackers to execute arbitrary code by leveraging a finalize method in a Serializable class that improperly passes an attacker-controlled pointer to a native function.

CWE-502 Mar 29, 2018

CVE-2017-1677 7.4 HIGH EPSS 0.00

IBM Data Server Driver for JDBC and SQLJ (IBM DB2 for Linux, UNIX and Windows 9.7, 10.1, 10.5, and 11.1) deserializes the contents of /tmp/connlicj.bin which leads to object injection and potentially arbitrary code execution depending on the classpath. IBM X-Force ID: 133999.

CWE-502 Mar 22, 2018

CVE-2018-7529 7.5 HIGH EPSS 0.01

A Deserialization of Untrusted Data issue was discovered in OSIsoft PI Data Archive versions 2017 and prior. Unauthenticated users may modify deserialized data to send custom requests that crash the server.

CWE-502 Mar 14, 2018

CVE-2018-1000074 7.8 HIGH 1 Writeup EPSS 0.01

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Deserialization of Untrusted Data vulnerability in owner command that can result in code execution. This attack appear to be exploitable via victim must run the `gem owner` command on a gem with a specially crafted YAML file. This vulnerability appears to have been fixed in 2.7.6.

CWE-502 Mar 13, 2018

CVE-2016-9585 5.3 MEDIUM EPSS 0.00

Red Hat JBoss EAP version 5 is vulnerable to a deserialization of untrusted data in the JMX endpoint when deserializes the credentials passed to it. An attacker could exploit this vulnerability resulting in a denial of service attack.

CWE-502 Mar 09, 2018

CVE-2018-7889 7.8 HIGH 1 Writeup EPSS 0.11

gui2/viewer/bookmarkmanager.py in Calibre 3.18 calls cPickle.load on imported bookmark data, which allows remote attackers to execute arbitrary code via a crafted .pickle file, as demonstrated by Python code that contains an os.system call.

CWE-502 Mar 08, 2018

CVE-2018-0147 9.8 CRITICAL KEV EPSS 0.04

A vulnerability in Java deserialization used by Cisco Secure Access Control System (ACS) prior to release 5.8 patch 9 could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected device. The vulnerability is due to insecure deserialization of user-supplied content by the affected software. An attacker could exploit this vulnerability by sending a crafted serialized Java object. An exploit could allow the attacker to execute arbitrary commands on the device with root privileges. Cisco Bug IDs: CSCvh25988.

CWE-502 Mar 08, 2018

CVE-2017-15693 7.5 HIGH EPSS 0.03

In Apache Geode before v1.4.0, the Geode server stores application objects in serialized form. Certain cluster operations and API invocations cause these objects to be deserialized. A user with DATA:WRITE access to the cluster may be able to cause remote code execution if certain classes are present on the classpath.

CWE-502 Feb 27, 2018

CVE-2017-15692 9.8 CRITICAL EPSS 0.05

In Apache Geode before v1.4.0, the TcpServer within the Geode locator opens a network port that deserializes data. If an unprivileged user gains access to the Geode locator, they may be able to cause remote code execution if certain classes are present on the classpath.

CWE-502 Feb 27, 2018

CVE-2018-7489 9.8 CRITICAL 3 PoCs Analysis EPSS 0.36

FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.

CWE-184 Feb 26, 2018

CVE-2017-8967 8.8 HIGH EPSS 0.02

A Deserialization of Untrusted Data vulnerability in Hewlett Packard Enterprise Intelligent Management Center (iMC) PLAT version 7.3 E0504P2 was found.

CWE-502 Feb 15, 2018

CVE-2017-8966 8.8 HIGH EPSS 0.02

A Deserialization of Untrusted Data vulnerability in Hewlett Packard Enterprise Intelligent Management Center (iMC) PLAT version 7.3 E0504P2 was found.

CWE-502 Feb 15, 2018

CVE-2017-8965 8.8 HIGH EPSS 0.02

A Deserialization of Untrusted Data vulnerability in Hewlett Packard Enterprise Intelligent Management Center (iMC) PLAT version 7.3 E0504P2 was found.

CWE-502 Feb 15, 2018

CVE-2017-8964 8.8 HIGH EPSS 0.02

A Deserialization of Untrusted Data vulnerability in Hewlett Packard Enterprise Intelligent Management Center (iMC) PLAT version 7.3 E0504P2 was found.

CWE-502 Feb 15, 2018

CVE-2017-8963 8.8 HIGH EPSS 0.02

A Deserialization of Untrusted Data vulnerability in Hewlett Packard Enterprise Intelligent Management Center (iMC) PLAT version 7.3 E0504P2 was found.

CWE-502 Feb 15, 2018

CVE-2017-8962 8.8 HIGH EPSS 0.02

A Deserialization of Untrusted Data vulnerability in Hewlett Packard Enterprise Intelligent Management Center (iMC) PLAT version 7.3 E0504P2 was found.

CWE-502 Feb 15, 2018

CVE-2017-5792 9.8 CRITICAL 2 PoCs Analysis EPSS 0.81

A Remote Code Execution vulnerability in HPE Intelligent Management Center (iMC) PLAT version 7.3 E0504P2 was found.

CWE-502 Feb 15, 2018

CVE-2017-5790 9.8 CRITICAL EPSS 0.40

A remote deserialization of untrusted data vulnerability in HPE Intelligent Management Center (IMC) PLAT version 7.2 E0403P06 was found.

CWE-502 Feb 15, 2018

CVE-2017-12558 9.8 CRITICAL EPSS 0.53

A Remote Code Execution vulnerability in HPE intelligent Management Center (iMC) PLAT version IMC Plat 7.3 E0504P2 and earlier was found.

CWE-502 Feb 15, 2018

CVE-2017-12557 9.8 CRITICAL 2 PoCs Analysis EPSS 0.86

A Remote Code Execution vulnerability in HPE intelligent Management Center (iMC) PLAT version IMC Plat 7.3 E0504P2 and earlier was found.

CWE-502 Feb 15, 2018