CVSS: 7.5EPSS: 76%CPEs: 72EXPL: 1CVE-2021-4104 – Deserialization of untrusted data in JMSAppender in Apache Log4j 1.2
https://notcve.org/view.php?id=CVE-2021-4104
14 Dec 2021 — JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in Au... • https://github.com/cckuailong/log4shell_1.x • CWE-20: Improper Input Validation CWE-502: Deserialization of Untrusted Data •
CVSS: 8.1EPSS: 2%CPEs: 37EXPL: 1CVE-2020-24750 – jackson-databind: Serialization gadgets in com.pastdev.httpcomponents.configuration.JndiConfiguration
https://notcve.org/view.php?id=CVE-2020-24750
17 Sep 2020 — FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration. FasterXML jackson-databind versiones 2.x anteriores a 2.9.10.6, maneja inapropiadamente la interacción entre los gadgets de serialización y la escritura, relacionada con com.pastdev.httpcomponents.configuration.JndiConfiguration A flaw was found in jackson-databind 2.x in versions prior to 2.9.10.6. The interaction between ... • https://github.com/Al1ex/CVE-2020-24750 • CWE-502: Deserialization of Untrusted Data •
CVSS: 8.1EPSS: 3%CPEs: 33EXPL: 1CVE-2020-24616
https://notcve.org/view.php?id=CVE-2020-24616
25 Aug 2020 — FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP). FasterXML jackson-databind versiones 2.x anteriores a 2.9.10.6, maneja inapropiadamente la interacción entre los dispositivos de serialización y la escritura, relacionada con br.com.anteros.dbcp.AnterosDBCPDataSource (también se conoce como Anteros-DBCP) • https://github.com/0xkami/cve-2020-24616-poc • CWE-502: Deserialization of Untrusted Data •
CVSS: 8.1EPSS: 9%CPEs: 21EXPL: 1CVE-2020-14195 – jackson-databind: serialization in org.jsecurity.realm.jndi.JndiRealmFactory
https://notcve.org/view.php?id=CVE-2020-14195
16 Jun 2020 — FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to org.jsecurity.realm.jndi.JndiRealmFactory (aka org.jsecurity). FasterXML jackson-databind versiones 2.x anteriores a 2.9.10.5, maneja inapropiadamente la interacción entre los gadgets de serialización y escritura, relacionada con org.jsecurity.realm.jndi.JndiRealmFactory (también se conoce como org.jsecurity) A flaw was found in jackson-databind 2.x in versions prior to 2.9.10.5. Fa... • https://github.com/Al1ex/CVE-2020-14195 • CWE-502: Deserialization of Untrusted Data •
CVSS: 8.1EPSS: 6%CPEs: 22EXPL: 0CVE-2020-14061 – jackson-databind: serialization in weblogic/oracle-aqjms
https://notcve.org/view.php?id=CVE-2020-14061
14 Jun 2020 — FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory, and oracle.jms.AQjmsXAConnectionFactory (aka weblogic/oracle-aqjms). FasterXML jackson-databind versiones 2.x anteriores a 2.9.10.5, maneja incorrectamente la interacción entre los gadgets de serialización y la escritura,... • https://github.com/FasterXML/jackson-databind/issues/2698 • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.0EPSS: 93%CPEs: 77EXPL: 19CVE-2020-9484 – tomcat: deserialization flaw in session persistence storage leading to RCE
https://notcve.org/view.php?id=CVE-2020-9484
20 May 2020 — When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d)... • https://packetstorm.news/files/id/157924 • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.5EPSS: 7%CPEs: 27EXPL: 1CVE-2020-11655 – Gentoo Linux Security Advisory 202007-26
https://notcve.org/view.php?id=CVE-2020-11655
09 Apr 2020 — SQLite through 3.31.1 allows attackers to cause a denial of service (segmentation fault) via a malformed window-function query because the AggInfo object's initialization is mishandled. SQLite versiones hasta 3.31.1, permite a atacantes causar una denegación de servicio (fallo de segmentación) por medio de una consulta de una función de window malformada porque la inicialización el objeto AggInfo es manejada inapropiadamente. It was discovered that SQLite incorrectly handled certain corrupted schemas. An at... • https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf • CWE-665: Improper Initialization •
CVSS: 8.1EPSS: 2%CPEs: 31EXPL: 0CVE-2020-11620 – jackson-databind: Serialization gadgets in commons-jelly:commons-jelly
https://notcve.org/view.php?id=CVE-2020-11620
07 Apr 2020 — FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.jelly.impl.Embedded (aka commons-jelly). FasterXML jackson-databind versiones 2.x anteriores a 2.9.10.4, maneja inapropiadamente la interacción entre los gadgets de serialización y la escritura, relacionada con el componente org.apache.commons.jelly.impl.Embedded (también se conoce como commons-jelly). A flaw was found in jackson-databind 2.x. The interaction betw... • https://github.com/FasterXML/jackson-databind/issues/2682 • CWE-502: Deserialization of Untrusted Data •
CVSS: 8.1EPSS: 1%CPEs: 35EXPL: 0CVE-2020-11619 – jackson-databind: Serialization gadgets in org.springframework:spring-aop
https://notcve.org/view.php?id=CVE-2020-11619
07 Apr 2020 — FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean (aka spring-aop). FasterXML jackson-databind versiones 2.x anteriores a 2.9.10.4, maneja inapropiadamente la interacción entre los gadgets de serialización y la escritura, relacionada con el componente org.springframework.aop.config.MethodLocatingFactoryBean (también se conoce como spring-aop). A flaw was found in jackson-data... • https://github.com/FasterXML/jackson-databind/issues/2680 • CWE-502: Deserialization of Untrusted Data •
CVSS: 8.8EPSS: 2%CPEs: 42EXPL: 0CVE-2020-11111 – jackson-databind: Serialization gadgets in org.apache.activemq.jms.pool.XaPooledConnectionFactory
https://notcve.org/view.php?id=CVE-2020-11111
31 Mar 2020 — FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms). FasterXML jackson-databind versiones 2.x anteriores a 2.9.10.4, maneja inapropiadamente la interacción entre los gadgets de serialización y la escritura, relacionado con org.apache.activemq.* (también se conoce como activemq-jms, activemq-core, activemq-pool, y activemq-pool-jms). A flaw w... • https://github.com/FasterXML/jackson-databind/issues/2664 • CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') CWE-502: Deserialization of Untrusted Data •