Total
2136 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-33728 | 1 Siemens | 1 Sinec Nms | 2024-11-21 | 7.2 High |
| A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1). The affected system allows to upload JSON objects that are deserialized to JAVA objects. Due to insecure deserialization of user-supplied content by the affected software, a privileged attacker could exploit this vulnerability by sending a crafted serialized Java object. An exploit could allow the attacker to execute arbitrary code on the device with root privileges. | ||||
| CVE-2021-33207 | 1 Softwareag | 1 Mashzone Nextgen | 2024-11-21 | 9.8 Critical |
| The HTTP client in MashZone NextGen through 10.7 GA deserializes untrusted data when it gets an HTTP response with a 570 status code. | ||||
| CVE-2021-33176 | 1 Octavolabs | 1 Vernemq | 2024-11-21 | 7.5 High |
| VerneMQ MQTT Broker versions prior to 1.12.0 are vulnerable to a denial of service attack as a result of excessive memory consumption due to the handling of untrusted inputs. These inputs cause the message broker to consume large amounts of memory, resulting in the application being terminated by the operating system. | ||||
| CVE-2021-33175 | 1 Emqx | 1 Emq X Broker | 2024-11-21 | 7.5 High |
| EMQ X Broker versions prior to 4.2.8 are vulnerable to a denial of service attack as a result of excessive memory consumption due to the handling of untrusted inputs. These inputs cause the message broker to consume large amounts of memory, resulting in the application being terminated by the operating system. | ||||
| CVE-2021-33036 | 1 Apache | 1 Hadoop | 2024-11-21 | 8.8 High |
| In Apache Hadoop 2.2.0 to 2.10.1, 3.0.0-alpha1 to 3.1.4, 3.2.0 to 3.2.2, and 3.3.0 to 3.3.1, a user who can escalate to yarn user can possibly run arbitrary commands as root user. Users should upgrade to Apache Hadoop 2.10.2, 3.2.3, 3.3.2 or higher. | ||||
| CVE-2021-33026 | 1 Flask-caching Project | 1 Flask-caching | 2024-11-21 | 9.8 Critical |
| The Flask-Caching extension through 1.10.1 for Flask relies on Pickle for serialization, which may lead to remote code execution or local privilege escalation. If an attacker gains access to cache storage (e.g., filesystem, Memcached, Redis, etc.), they can construct a crafted payload, poison the cache, and execute Python code. NOTE: a third party indicates that exploitation is extremely unlikely unless the machine is already compromised; in other cases, the attacker would be unable to write their payload to the cache and generate the required collision | ||||
| CVE-2021-32836 | 1 Zstack | 1 Zstack | 2024-11-21 | 7.5 High |
| ZStack is open source IaaS(infrastructure as a service) software. In ZStack before versions 3.10.12 and 4.1.6 there is a pre-auth unsafe deserialization vulnerability in the REST API. An attacker in control of the request body will be able to provide both the class name and the data to be deserialized and therefore will be able to instantiate an arbitrary type and assign arbitrary values to its fields. This issue may lead to a Denial Of Service. If a suitable gadget is available, then an attacker may also be able to exploit this vulnerability to gain pre-auth remote code execution. For additional details see the referenced GHSL-2021-087. | ||||
| CVE-2021-32742 | 1 Vapor Project | 1 Vapor | 2024-11-21 | 7.5 High |
| Vapor is a web framework for Swift. In versions 4.47.1 and prior, bug in the `Data.init(base32Encoded:)` function opens up the potential for exposing server memory and/or crashing the server (Denial of Service) for applications where untrusted data can end up in said function. Vapor does not currently use this function itself so this only impact applications that use the impacted function directly or through other dependencies. The vulnerability is patched in version 4.47.2. As a workaround, one may use an alternative to Vapor's built-in `Data.init(base32Encoded:)`. | ||||
| CVE-2021-32634 | 1 Nsa | 1 Emissary | 2024-11-21 | 7.2 High |
| Emissary is a distributed, peer-to-peer, data-driven workflow framework. Emissary 6.4.0 is vulnerable to Unsafe Deserialization of post-authenticated requests to the [`WorkSpaceClientEnqueue.action`](https://github.com/NationalSecurityAgency/emissary/blob/30c54ef16c6eb6ed09604a929939fb9f66868382/src/main/java/emissary/server/mvc/internal/WorkSpaceClientEnqueueAction.java) REST endpoint. This issue may lead to post-auth Remote Code Execution. This issue has been patched in version 6.5.0. As a workaround, one can disable network access to Emissary from untrusted sources. | ||||
| CVE-2021-32568 | 1 Mrdoc | 1 Mrdoc | 2024-11-21 | 7.8 High |
| mrdoc is vulnerable to Deserialization of Untrusted Data | ||||
| CVE-2021-32098 | 1 Artica | 1 Pandora Fms | 2024-11-21 | 9.8 Critical |
| Artica Pandora FMS 742 allows unauthenticated attackers to perform Phar deserialization. | ||||
| CVE-2021-32075 | 1 Re-logic | 1 Terraria | 2024-11-21 | 9.8 Critical |
| Re-Logic Terraria before 1.4.2.3 performs Insecure Deserialization. | ||||
| CVE-2021-31819 | 1 Octopus | 1 Halibut | 2024-11-21 | 9.8 Critical |
| In Halibut versions prior to 4.4.7 there is a deserialisation vulnerability that could allow remote code execution on systems that already trust each other based on certificate verification. | ||||
| CVE-2021-31681 | 1 Ultralytics | 1 Yolov3 | 2024-11-21 | 7.8 High |
| Deserialization of Untrusted Data vulnerability in yolo 3 allows attackers to execute arbitrary code via crafted yaml file. | ||||
| CVE-2021-31680 | 1 Ultralytics | 1 Yolov5 | 2024-11-21 | 7.8 High |
| Deserialization of Untrusted Data vulnerability in yolo 5 allows attackers to execute arbitrary code via crafted yaml file. | ||||
| CVE-2021-31649 | 1 Jfinal | 1 Jfinal | 2024-11-21 | 9.8 Critical |
| In applications using jfinal 4.9.08 and below, there is a deserialization vulnerability when using redis,may be vulnerable to remote code execute | ||||
| CVE-2021-31474 | 1 Solarwinds | 1 Network Performance Monitor | 2024-11-21 | 9.8 Critical |
| This vulnerability allows remote attackers to execute arbitrary code on affected installations of SolarWinds Network Performance Monitor 2020.2.1. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SolarWinds.Serialization library. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-12213. | ||||
| CVE-2021-30179 | 1 Apache | 1 Dubbo | 2024-11-21 | 9.8 Critical |
| Apache Dubbo prior to 2.6.9 and 2.7.9 by default supports generic calls to arbitrary methods exposed by provider interfaces. These invocations are handled by the GenericFilter which will find the service and method specified in the first arguments of the invocation and use the Java Reflection API to make the final call. The signature for the $invoke or $invokeAsync methods is Ljava/lang/String;[Ljava/lang/String;[Ljava/lang/Object; where the first argument is the name of the method to invoke, the second one is an array with the parameter types for the method being invoked and the third one is an array with the actual call arguments. In addition, the caller also needs to set an RPC attachment specifying that the call is a generic call and how to decode the arguments. The possible values are: - true - raw.return - nativejava - bean - protobuf-json An attacker can control this RPC attachment and set it to nativejava to force the java deserialization of the byte array located in the third argument. | ||||
| CVE-2021-30128 | 1 Apache | 1 Ofbiz | 2024-11-21 | 9.8 Critical |
| Apache OFBiz has unsafe deserialization prior to 17.12.07 version | ||||
| CVE-2021-29781 | 2 Ibm, Linux | 2 Partner Engagement Manager, Linux Kernel | 2024-11-21 | 9.8 Critical |
| IBM Partner Engagement Manager 2.0 could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization flaw. By sending specially-crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-Force ID: 203091. | ||||