Total
2059 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-38650 | 1 Vmware | 1 Hyperic Server | 2024-11-21 | 10.0 Critical |
| A remote unauthenticated insecure deserialization vulnerability exists in VMware Hyperic Server 5.8.6. Exploitation of this vulnerability enables a malicious party to run arbitrary code or malware within Hyperic Server and the host operating system with the privileges of the Hyperic server process. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | ||||
| CVE-2022-38352 | 1 Thinkphp | 1 Thinkphp | 2024-11-21 | 9.8 Critical |
| ThinkPHP v6.0.13 was discovered to contain a deserialization vulnerability via the component League\Flysystem\Cached\Storage\Psr6Cache. This vulnerability allows attackers to execute arbitrary code via a crafted payload. | ||||
| CVE-2022-37023 | 1 Apache | 1 Geode | 2024-11-21 | 6.5 Medium |
| Apache Geode versions prior to 1.15.0 are vulnerable to a deserialization of untrusted data flaw when using REST API on Java 8 or Java 11. Any user wishing to protect against deserialization attacks involving REST APIs should upgrade to Apache Geode 1.15 and follow the documentation for details on enabling "validate-serializable-objects=true" and specifying any user classes that may be serialized/deserialized with "serializable-object-filter". Enabling "validate-serializable-objects" may impact performance. | ||||
| CVE-2022-37022 | 1 Apache | 1 Geode | 2024-11-21 | 8.8 High |
| Apache Geode versions up to 1.12.2 and 1.13.2 are vulnerable to a deserialization of untrusted data flaw when using JMX over RMI on Java 11. Any user wishing to protect against deserialization attacks involving JMX or RMI should upgrade to Apache Geode 1.15. Use of 1.15 on Java 11 will automatically protect JMX over RMI against deserialization attacks. This should have no impact on performance since it only affects JMX/RMI which Gfsh uses to communicate with the JMX Manager which is hosted on a Locator. | ||||
| CVE-2022-37021 | 1 Apache | 1 Geode | 2024-11-21 | 9.8 Critical |
| Apache Geode versions up to 1.12.5, 1.13.4 and 1.14.0 are vulnerable to a deserialization of untrusted data flaw when using JMX over RMI on Java 8. Any user still on Java 8 who wishes to protect against deserialization attacks involving JMX or RMI should upgrade to Apache Geode 1.15 and Java 11. If upgrading to Java 11 is not possible, then upgrade to Apache Geode 1.15 and specify "--J=-Dgeode.enableGlobalSerialFilter=true" when starting any Locators or Servers. Follow the documentation for details on specifying any user classes that may be serialized/deserialized with the "serializable-object-filter" configuration option. Using a global serial filter will impact performance. | ||||
| CVE-2022-36119 | 1 Ssctech | 1 Blue Prism | 2024-11-21 | 8.8 High |
| An issue was discovered in Blue Prism Enterprise 6.0 through 7.01. In a misconfigured environment that exposes the Blue Prism Application server, it is possible for a domain authenticated user to send a crafted message to the Blue Prism Server and accomplish a remote code execution attack that is possible because of insecure deserialization. Exploitation of this vulnerability allows for code to be executed in the context of the Blue Prism Server service. | ||||
| CVE-2022-35872 | 1 Inductiveautomation | 1 Ignition | 2024-11-21 | 7.8 High |
| This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition 8.1.15 (b2022030114). User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of ZIP files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-17115. | ||||
| CVE-2022-35870 | 1 Inductiveautomation | 1 Ignition | 2024-11-21 | 7.8 High |
| This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition 8.1.15 (b2022030114). Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within com.inductiveautomation.metro.impl. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-17265. | ||||
| CVE-2022-35223 | 1 Easyuse | 1 Mailhunter Ultimate | 2024-11-21 | 9.8 Critical |
| EasyUse MailHunter Ultimate’s cookie deserialization function has an inadequate validation vulnerability. Deserializing a cookie containing malicious payload will trigger this insecure deserialization vulnerability, allowing an unauthenticated remote attacker to execute arbitrary code, manipulate system command or interrupt service. | ||||
| CVE-2022-34668 | 1 Nvidia | 1 Nvflare | 2024-11-21 | 9.8 Critical |
| NVFLARE, versions prior to 2.1.4, contains a vulnerability that deserialization of Untrusted Data due to Pickle usage may allow an unprivileged network attacker to cause Remote Code Execution, Denial Of Service, and Impact to both Confidentiality and Integrity. | ||||
| CVE-2022-34268 | 1 Rws | 1 Worldserver | 2024-11-21 | 9.8 Critical |
| An issue was discovered in RWS WorldServer before 11.7.3. /clientLogin deserializes Java objects without authentication, leading to command execution on the host. | ||||
| CVE-2022-33947 | 1 F5 | 1 Big-ip Domain Name System | 2024-11-21 | 5.4 Medium |
| In BIG-IP Versions 16.1.x before 16.1.3, 15.1.x before 15.1.6.1, 14.1.x before 14.1.5, and all versions of 13.1.x, a vulnerability exists in undisclosed pages of the BIG-IP DNS Traffic Management User Interface (TMUI) that allows an authenticated attacker with at least operator role privileges to cause the Tomcat process to restart and perform unauthorized DNS requests and operations through undisclosed requests. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | ||||
| CVE-2022-33320 | 2 Iconics, Mitsubishielectric | 2 Genesis64, Mc Works64 | 2024-11-21 | 7.8 High |
| Deserialization of Untrusted Data vulnerability in ICONICS GENESIS64 versions 10.97.1 and prior and Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior allows an unauthenticated attacker to execute an arbitrary malicious code by leading a user to load a project configuration file including malicious XML codes. | ||||
| CVE-2022-33318 | 2 Iconics, Mitsubishielectric | 2 Genesis64, Mc Works64 | 2024-11-21 | 9.8 Critical |
| Deserialization of Untrusted Data vulnerability in ICONICS GENESIS64 versions 10.97.1 and prior and Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior allows a remote unauthenticated attacker to execute an arbitrary malicious code by sending specially crafted packets to the GENESIS64 server. | ||||
| CVE-2022-33316 | 2 Iconics, Mitsubishielectric | 2 Genesis64, Mc Works64 | 2024-11-21 | 7.8 High |
| Deserialization of Untrusted Data vulnerability in ICONICS GENESIS64 versions 10.97.1 and prior and Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior allows an unauthenticated attacker to execute an arbitrary malicious code by leading a user to load a monitoring screen file including malicious XAML codes. | ||||
| CVE-2022-33315 | 2 Iconics, Mitsubishielectric | 2 Genesis64, Mc Works64 | 2024-11-21 | 7.8 High |
| Deserialization of Untrusted Data vulnerability in ICONICS GENESIS64 versions 10.97.1 and prior and Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior allows an unauthenticated attacker to execute an arbitrary malicious code by leading a user to load a monitoring screen file including malicious XAML codes. | ||||
| CVE-2022-33107 | 1 Thinkphp | 1 Thinkphp | 2024-11-21 | 9.8 Critical |
| ThinkPHP v6.0.12 was discovered to contain a deserialization vulnerability via the component vendor\league\flysystem-cached-adapter\src\Storage\AbstractCache.php. This vulnerability allows attackers to execute arbitrary code via a crafted payload. | ||||
| CVE-2022-31680 | 1 Vmware | 1 Vcenter Server | 2024-11-21 | 9.1 Critical |
| The vCenter Server contains an unsafe deserialisation vulnerability in the PSC (Platform services controller). A malicious actor with admin access on vCenter server may exploit this issue to execute arbitrary code on the underlying operating system that hosts the vCenter Server. | ||||
| CVE-2022-31605 | 1 Nvidia | 1 Nvflare | 2024-11-21 | 9.8 Critical |
| NVFLARE, versions prior to 2.1.2, contains a vulnerability in its utils module, where YAML files are loaded via yaml.load() instead of yaml.safe_load(). The deserialization of Untrusted Data, may allow an unprivileged network attacker to cause Remote Code Execution, Denial Of Service, and Impact to both Confidentiality and Integrity. | ||||
| CVE-2022-31604 | 1 Nvidia | 1 Nvflare | 2024-11-21 | 9.8 Critical |
| NVFLARE, versions prior to 2.1.2, contains a vulnerability in its PKI implementation module, where The CA credentials are transported via pickle and no safe deserialization. The deserialization of Untrusted Data may allow an unprivileged network attacker to cause Remote Code Execution, Denial Of Service, and Impact to both Confidentiality and Integrity. | ||||