CWE-502

Medium likelihood

Deserialization of Untrusted Data

Parent: CWE-913 - Improper Control of Dynamically-Managed Code Resources

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

2,844 vulnerabilities with CWE-502
CVE-2018-19361 CRITICAL
FasterXML jackson-databind <2.9.8 - Deserialization
CVSS 9.8
CVE-2018-19360 CRITICAL
FasterXML jackson-databind <2.9.8 - Code Injection
CVSS 9.8
CVE-2018-14720 CRITICAL
FasterXML jackson-databind 2.6.0-2.6.7.1 - XML External Entity Injection via Polymorphic Deserialization
CVSS 9.8
CVE-2018-14719 CRITICAL
FasterXML jackson-databind 2.0.0-2.6.7.2 - Remote Code Execution via BlazeDS Polymorphic Deserialization
CVSS 9.8
CVE-2018-14718 CRITICAL
FasterXML Jackson <2.9.7 - Code Injection
CVSS 9.8
CVE-2018-6331 CRITICAL
Buck < 2018.06.25.01 - Remote Code Execution via Java Deserialization
CVSS 9.8
CVE-2018-1000888 HIGH
PEAR Archive_Tar <1.4.3 - Code Injection
CVSS 8.8
CVE-2018-1000833 CRITICAL
ZoneMinder <=1.32.2 - Info Disclosure, DoS, SSRF, RCE
CVSS 9.8
CVE-2018-1000832 CRITICAL
ZoneMinder <=1.32.2 - Info Disclosure, DoS, SSRF, RCE
CVSS 9.8
CVE-2018-1000827 CRITICAL
Ubilling <= 0.9.2 - Info Disclosure, DoS, SSRF, RCE
CVSS 9.8
CVE-2018-1000824 CRITICAL
MegaMek < 0.45.1 - Remote Code Execution
CVSS 9.8
CVE-2018-20148 CRITICAL
WordPress <4.9.9, 5.x <5.0.1 - Code Injection
CVSS 9.8
CVE-2018-1904 HIGH
IBM WebSphere Application Server <9.0 - RCE
CVSS 8.1
CVE-2018-1000861 CRITICAL KEV
Jenkins < 2.138.3 and < 2.153 - Remote Code Execution via Stapler Framework URL Invocation
CVSS 9.8
CVE-2018-16476 HIGH
Rails < 4.2.11 - Improper Access Control
CVSS 7.5
CVE-2018-18987 HIGH
VT-Designer 2.1.7.31 - Deserialization of Untrusted Data
CVSS 8.8
CVE-2018-19499 HIGH
Vanilla < 2.5.5 and 2.6.x < 2.6.2 - Authenticated Remote Code Execution via Unserialize in Gdn_Format
CVSS 7.2
CVE-2018-19396 HIGH
PHP 5.0.0-7.1.24 - Denial of Service via Unserialize Call for com, dotnet, or variant Class
CVSS 7.5
CVE-2018-19274 HIGH
phpBB < 3.2.4 - Authenticated Remote Code Execution via Phar Deserialization
CVSS 7.2
CVE-2018-19296 HIGH
PHPMailer <5.2.27, <6.0.6 - Code Injection
CVSS 8.8
CVE-2018-15381 CRITICAL
Cisco Unity Express - Use After Free
CVSS 9.8
CVE-2018-8021 CRITICAL
Apache Superset < 0.23 - Remote Code Execution via Pickle Deserialization
CVSS 9.8
CVE-2018-1851 HIGH
IBM WebSphere Liberty < 18.0.0.3 - RCE via OpenID Connect Deserialization
CVSS 7.3
CVE-2018-15686 HIGH
Canonical Ubuntu Linux < 239 - Insecure Deserialization
CVSS 7.8
CVE-2018-18013 HIGH
Citrix XenMobile Server < 10.8.0 - Unauthenticated Remote Code Execution via Java Deserialization
CVSS 7.8
Details
Vulnerabilities 2,844
Exploit Likelihood Medium
Links
MITRE CWE Entry Search this CWE With Exploits