CVE & Exploit Intelligence Database

CVE-2021-32824 9.8 CRITICAL 1 PoC Analysis EPSS 0.06

Apache Dubbo is a java based, open source RPC framework. Versions prior to 2.6.10 and 2.7.10 are vulnerable to pre-auth remote code execution via arbitrary bean manipulation in the Telnet handler. The Dubbo main service port can be used to access a Telnet Handler which offers some basic methods to collect information about the providers and methods exposed by the service and it can even allow to shutdown the service. This endpoint is unprotected. Additionally, a provider method can be invoked using the `invoke` handler. This handler uses a safe version of FastJson to process the call arguments. However, the resulting list is later processed with `PojoUtils.realize` which can be used to instantiate arbitrary classes and invoke its setters. Even though FastJson is properly protected with a default blocklist, `PojoUtils.realize` is not, and an attacker can leverage that to achieve remote code execution. Versions 2.6.10 and 2.7.10 contain fixes for this issue.

CWE-502 Jan 03, 2023

CVE-2022-41966 8.2 HIGH 1 PoC Analysis EPSS 0.03

XStream serializes Java objects to XML and back again. Versions prior to 1.4.20 may allow a remote attacker to terminate the application with a stack overflow error, resulting in a denial of service only via manipulation the processed input stream. The attack uses the hash code implementation for collections and maps to force recursive hash calculation causing a stack overflow. This issue is patched in version 1.4.20 which handles the stack overflow and raises an InputManipulationException instead. A potential workaround for users who only use HashMap or HashSet and whose XML refers these only as default map or set, is to change the default implementation of java.util.Map and java.util per the code example in the referenced advisory. However, this implies that your application does not care about the implementation of the map and all elements are comparable.

CWE-502 Dec 28, 2022

CVE-2020-10650 8.1 HIGH EXPLOITED 1 Writeup EPSS 0.10

A deserialization flaw was discovered in jackson-databind through 2.9.10.4. It could allow an unauthenticated user to perform code execution via ignite-jta or quartz-core: org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup, org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory, and org.quartz.utils.JNDIConnectionProvider.

CWE-502 Dec 26, 2022

CVE-2022-41596 7.5 HIGH EPSS 0.00

The system tool has inconsistent serialization and deserialization. Successful exploitation of this vulnerability will cause unauthorized startup of components.

CWE-502 Dec 20, 2022

CVE-2021-38241 9.8 CRITICAL EPSS 0.01

Deserialization issue discovered in Ruoyi before 4.6.1 allows remote attackers to run arbitrary code via weak cipher in Shiro framework.

CWE-502 Dec 16, 2022

CVE-2021-33420 9.8 CRITICAL 1 Writeup EPSS 0.02

A deserialization issue discovered in inikulin replicator before 1.0.4 allows remote attackers to run arbitrary code via the fromSerializable function in TypedArray object.

CWE-502 Dec 15, 2022

CVE-2022-44351 9.8 CRITICAL EPSS 0.00

Skycaiji v2.5.1 was discovered to contain a deserialization vulnerability via /SkycaijiApp/admin/controller/Mystore.php.

CWE-502 Dec 07, 2022

CVE-2022-44371 9.8 CRITICAL EPSS 0.01

hope-boot 1.0.0 has a deserialization vulnerability that can cause Remote Code Execution (RCE).

CWE-502 Dec 07, 2022

CVE-2022-32224 9.8 CRITICAL 1 PoC Analysis EPSS 0.02

A possible escalation to RCE vulnerability exists when using YAML serialized columns in Active Record < 7.0.3.1, <6.1.6.1, <6.0.5.1 and <5.2.8.1 which could allow an attacker, that can manipulate data in the database (via means like SQL injection), the ability to escalate to an RCE.

CWE-502 Dec 05, 2022

CVE-2022-46366 9.8 CRITICAL 1 Writeup EPSS 0.04

Apache Tapestry 3.x allows deserialization of untrusted data, leading to remote code execution. This issue is similar to but distinct from CVE-2020-17531, which applies the the (also unsupported) 4.x version line. NOTE: This vulnerability only affects Apache Tapestry version line 3.x, which is no longer supported by the maintainer. Users are recommended to upgrade to a supported version line of Apache Tapestry.

CWE-502 Dec 02, 2022

CVE-2022-1471 8.3 HIGH 5 PoCs Analysis EPSS 0.94

SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.

CWE-502 Dec 01, 2022

CVE-2022-36964 8.8 HIGH EPSS 0.03

SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with valid access to SolarWinds Web Console to execute arbitrary commands.

CWE-502 Nov 29, 2022

CVE-2022-41958 7.3 HIGH 1 Writeup EPSS 0.00

super-xray is a web vulnerability scanning tool. Versions prior to 0.7 assumed trusted input for the program config which is stored in a yaml file. An attacker with local access to the file could exploit this and compromise the program. This issue has been addressed in commit `4d0d5966` and will be included in future releases. Users are advised to upgrade. There are no known workarounds for this issue.

CWE-502 Nov 25, 2022

CVE-2022-41875 10.0 CRITICAL 1 Writeup EPSS 0.15

A remote code execution (RCE) vulnerability in Optica allows unauthenticated attackers to execute arbitrary code via specially crafted JSON payloads. Specially crafted JSON payloads may lead to RCE (remote code execution) on the attacked system running Optica. The vulnerability was patched in v. 0.10.2, where the call to the function `oj.load` was changed to `oj.safe_load`.

CWE-502 Nov 23, 2022

CVE-2022-41922 8.1 HIGH 1 Writeup EPSS 0.04

`yiisoft/yii` before version 1.1.27 are vulnerable to Remote Code Execution (RCE) if the application calls `unserialize()` on arbitrary user input. This has been patched in 1.1.27.

CWE-502 Nov 23, 2022

CVE-2022-3861 8.8 HIGH 1 Writeup EPSS 0.03

The Betheme theme for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 26.5.1.4 via deserialization of untrusted input supplied via the import, mfn-items-import-page, and mfn-items-import parameters passed through the mfn_builder_import, mfn_builder_import_page, importdata, importsinglepage, and importfromclipboard functions. This makes it possible for authenticated attackers, with contributor level permissions and above to inject a PHP Object. The additional presence of a POP chain would make it possible for attackers to execute code, retrieve sensitive data, delete files, etc..

CWE-502 Nov 21, 2022

CVE-2022-3525 8.8 HIGH 1 Writeup EPSS 0.00

Deserialization of Untrusted Data in GitHub repository librenms/librenms prior to 22.10.0.

CWE-502 Nov 20, 2022

CVE-2022-45077 6.3 MEDIUM EXPLOITED EPSS 0.01

Auth. (subscriber+) PHP Object Injection vulnerability in Betheme theme <= 26.5.1.4 on WordPress.

CWE-502 Nov 17, 2022

CVE-2022-45047 9.8 CRITICAL 1 PoC Analysis EPSS 0.05

Class org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider in Apache MINA SSHD <= 2.9.1 uses Java deserialization to load a serialized java.security.PrivateKey. The class is one of several implementations that an implementor using Apache MINA SSHD can choose for loading the host keys of an SSH server.

CWE-502 Nov 16, 2022

CVE-2022-45136 9.8 CRITICAL EPSS 0.02

Apache Jena SDB 3.17.0 and earlier is vulnerable to a JDBC Deserialisation attack if the attacker is able to control the JDBC URL used or cause the underlying database server to return malicious data. The mySQL JDBC driver in particular is known to be vulnerable to this class of attack. As a result an application using Apache Jena SDB can be subject to RCE when connected to a malicious database server. Apache Jena SDB has been EOL since December 2020 and users should migrate to alternative options e.g. Apache Jena TDB 2.

CWE-502 Nov 14, 2022