Common Weakness Enumeration

CWE-502

Allowed

Deserialization of Untrusted Data

Abstraction: Base · Status: Draft

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

4801 vulnerabilities reference this CWE, most recent first.

GHSA-JFH9-JWF2-W35R

Vulnerability from github – Published: 2022-05-13 01:38 – Updated: 2022-05-13 01:38
VLAI
Details

The PHP form code generated by PHP FormMail Generator deserializes untrusted input as part of the phpfmg_filman_download() function. A remote unauthenticated attacker may be able to use this vulnerability to inject PHP code, or along with CVE-2016-9484 to perform local file inclusion attacks and obtain files from the server.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-9483"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-07-13T20:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "The PHP form code generated by PHP FormMail Generator deserializes untrusted input as part of the phpfmg_filman_download() function. A remote unauthenticated attacker may be able to use this vulnerability to inject PHP code, or along with CVE-2016-9484 to perform local file inclusion attacks and obtain files from the server.",
  "id": "GHSA-jfh9-jwf2-w35r",
  "modified": "2022-05-13T01:38:31Z",
  "published": "2022-05-13T01:38:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-9483"
    },
    {
      "type": "WEB",
      "url": "https://www.kb.cert.org/vuls/id/494015"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/94778"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JFVP-PW77-78H3

Vulnerability from github – Published: 2026-05-14 06:31 – Updated: 2026-05-14 06:31
VLAI
Details

GitLab has remediated an issue in GitLab EE affecting all versions from 11.9 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an unauthenticated user to cause denial of service by uploading a specially crafted file due to improper validation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-1184"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-14T06:16:21Z",
    "severity": "MODERATE"
  },
  "details": "GitLab has remediated an issue in GitLab EE affecting all versions from 11.9 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an unauthenticated user to cause denial of service by uploading a specially crafted file due to improper validation.",
  "id": "GHSA-jfvp-pw77-78h3",
  "modified": "2026-05-14T06:31:33Z",
  "published": "2026-05-14T06:31:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1184"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/3515842"
    },
    {
      "type": "WEB",
      "url": "https://about.gitlab.com/releases/2026/05/13/patch-release-gitlab-18-11-3-released"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/586634"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JG22-MG44-37J8

Vulnerability from github – Published: 2026-06-03 20:56 – Updated: 2026-06-03 20:56
VLAI
Summary
AIOHTTP is Vulnerable to Deserialization of Untrusted Data
Details

Summary

Using CookieJar.load() with untrusted input may allow arbitrary code execution.

Impact

Most applications using this function will be doing so with the user's own data, so this is unlikely to affect many applications.

Workaround

If an application does allow attacker controlled files to be loaded, a workaround on older releases would be to sanitise the files before loading.


Patch: https://github.com/aio-libs/aiohttp/commit/dcf40f30637e8752c76781cf6703b5a236749a00

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "aiohttp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.14.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-34993"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-03T20:56:54Z",
    "nvd_published_at": "2026-06-02T20:16:34Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nUsing ``CookieJar.load()`` with untrusted input may allow arbitrary code execution.\n\n### Impact\n\nMost applications using this function will be doing so with the user\u0027s own data, so this is unlikely to affect many applications.\n\n### Workaround\n\nIf an application does allow attacker controlled files to be loaded, a workaround on older releases would be to sanitise the files before loading.\n\n-----\n\nPatch: https://github.com/aio-libs/aiohttp/commit/dcf40f30637e8752c76781cf6703b5a236749a00",
  "id": "GHSA-jg22-mg44-37j8",
  "modified": "2026-06-03T20:56:54Z",
  "published": "2026-06-03T20:56:54Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-jg22-mg44-37j8"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34993"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aio-libs/aiohttp/commit/dcf40f30637e8752c76781cf6703b5a236749a00"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/aio-libs/aiohttp"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "AIOHTTP is Vulnerable to Deserialization of Untrusted Data"
}

GHSA-JG6F-48FF-5XRW

Vulnerability from github – Published: 2025-02-28 17:46 – Updated: 2025-02-28 17:46
VLAI
Summary
IBC-Go has Non-deterministic JSON Unmarshalling of IBC Acknowledgement
Details

Name: ASA-2025-004: Non-deterministic JSON Unmarshalling of IBC Acknowledgement can result in a chain halt Component: IBC-Go Criticality: Critical (Considerable Impact; Almost Certain Likelihood per ACMv1.2) Affected versions: IBC-Go >= v7; Earlier IBC-Go versions may also be affected. Affected users: Validators, Full nodes, IBC Middleware authors

Description

An issue was discovered in IBC-Go's deserialization of acknowledgements that results in non-deterministic behavior which can halt a chain. Any user that can open an IBC channel can introduce this state to the chain

Patches

The new IBC-Go releases below address this issue:

Workarounds

To prevent this state from being introduced to a chain, it is possible to permission Channel Opening as a workaround.

Notes on Re-Release

Is this state breaking? Probably not but it depends on your transfer middlewares

This patch is not state breaking unless you depend on transfer middlewares that deserialize and serialize acknowledgement packets before passing them to the transfer handler. As far as we can tell, these middlewares are rare. For example, packet-forward-middleware and ibc-hooks, do not serialize ack packets in this way and therefore aren't broken by this patch. So if these are the only transfer middlewares you depend on, you can safely apply this patch in a rolling manner (and we've already cut new versions of these for you).

What to do if you do depend on ack-serializing middleware

In the unlikely case that you depend on middlewares that serialize ack packets and you do not update them when you apply this patch, all transfers that are handled by the middleware will fail (or experience other unexpected behavior) if the serialization approach differs from the transfer app's. If you have such dependencies and do not update them, validators who apply the patch in a rolling manner will halt when they upgrade, and transfers processed by the middleware will just fail once everyone has upgraded.

To update these middlewares and avoid failing transfers or a chain halt, you will simply need to change the serialization approach in the middleware to use ibc-go's codec: transfertypes.ModuleCdc.[Must]MarshalJSON, rather than whatever you're doing today. For example:

import transfertypes "github.com/cosmos/ibc-go/v10/modules/apps/transfer/types"
transfertypes.ModuleCdc.[Must]MarshalJSON
func MarshalAsIBCDoes(ack channeltypes.Acknowledgement) ([]byte, error) {
    return transfertypes.ModuleCdc.MarshalJSON(&ack)
}

When you do make a change to the serialization approach, this will make the patch state breaking and you will need a coordinated upgrade. So for absolute clarity: chains with these ack-serializing middlewares must do coordinated upgrades

Why we retracted the earlier patch in favor of this approach

We retracted the releases of ibc-go we cut earlier today because these broke all transfer middlewares that deserialized then re-serialized receive packets differently than the transfer app. It turned out that this was a common pattern (unlike serializing/deserializing ack packets), so widely used middlewares, including packet-forward-middleware, broke unexpectedly.

In the new set of patches, we removed this constraint on how middlewares serialize receive packets, preventing this breakage. Only the serialization requirement on acknowledgement packets remains. This is convenient because this is the only constraint we had to add to fix the vulnerability, and middlewares that deserialize and serialize ack packets are much less common than ones that do so for receive packets. The constraint on receive packets was added for defense in depth.

Testing we have done to gain more confidence in this release

  • In addition to testing ibc-go, we also did the following:
  • Tested pfm v7 and v8 after bumping dependencies
  • Tested ibc-hooks v7 and v8 after bumping dependencies
  • Ran a patched node on mainnet on the cosmos hub and triggered failing and successful transactions that used PFM
  • Ran a patched node on osmosis and triggered failing and successful transactions that used ibc-hooks This is a more thorough process than before, so we have higher confidence.

Timeline

  • February 18, 2025, 4:54am PST: Issue reported to the Cosmos Bug Bounty program
  • February 18, 2025, 6:56am PST: Issue triaged by Amulet on-call, and distributed to Core team
  • February 18, 2025, 8:15am PST: Core team completes validation of issue
  • February 25, 2025, 8:00am PST / 17:00 CET: Pre-notification delivered
  • February 27, 2025, 8:00am PST / 17:00 CET: Patch made available
  • February 27, 2025, 1:00pm PST: Patch re-release made available

This issue was reported to the Cosmos Bug Bounty Program by swelf19 on HackerOne on February 18, 2025. If you believe you have found a bug in the Interchain Stack or would like to contribute to the program by reporting a bug, please see https://hackerone.com/cosmos.

If you have questions about Interchain security efforts, please reach out to our official communication channel at security@interchain.io. For more information about the Interchain Foundation’s engagement with Amulet, and to sign up for security notification emails, please see https://github.com/interchainio/security.

A Github Security Advisory for this issue is available in the IBC-Go repository.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 7.9.2"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/cosmos/ibc-go"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 7.9.2"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/cosmos/ibc-go/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 7.9.2"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/cosmos/ibc-go/v3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 7.9.2"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/cosmos/ibc-go/v4"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 7.9.2"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/cosmos/ibc-go/v5"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 7.9.2"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/cosmos/ibc-go/v6"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/cosmos/ibc-go/v7"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.9.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/cosmos/ibc-go/v8"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "8.6.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-02-28T17:46:04Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "Name: ASA-2025-004: Non-deterministic JSON Unmarshalling of IBC Acknowledgement can result in a chain halt\nComponent: IBC-Go\nCriticality: Critical (Considerable Impact; Almost Certain Likelihood per [ACMv1.2](https://github.com/interchainio/security/blob/main/resources/CLASSIFICATION_MATRIX.md))\nAffected versions: IBC-Go \u003e= v7; Earlier IBC-Go versions may also be affected.\nAffected users: Validators, Full nodes, IBC Middleware authors\n\n### Description\n\nAn issue was discovered in IBC-Go\u0027s deserialization of acknowledgements that results in non-deterministic behavior which can halt a chain. Any user that can open an IBC channel can introduce this state to the chain\n\n### Patches\n\nThe new IBC-Go releases below address this issue:\n\n* [v7.9.2](https://github.com/cosmos/ibc-go/releases/tag/v7.9.2)\n* [v8.6.1](https://github.com/cosmos/ibc-go/releases/tag/v8.6.1)\n\n### Workarounds\n\nTo prevent this state from being introduced to a chain, it is possible to permission Channel Opening as a workaround.\n\n### Notes on Re-Release\n\n#### Is this state breaking? Probably not but it depends on your transfer middlewares\n\nThis patch is not state breaking unless you depend on transfer middlewares that deserialize and serialize acknowledgement packets before passing them to the transfer handler.  As far as we can tell, these middlewares are rare. For example, packet-forward-middleware and ibc-hooks, do not serialize ack packets in this way and therefore aren\u0027t broken by this patch. So if these are the only transfer middlewares you depend on, you can safely apply this patch in a rolling manner (and we\u0027ve already cut new versions of these for you).\n\n#### What to do if you do depend on ack-serializing middleware\n\nIn the unlikely case that you depend on middlewares that serialize ack packets and you do not update them when you apply this patch, all transfers that are handled by the middleware will fail (or experience other unexpected behavior) if the serialization approach differs from the transfer app\u0027s. If you have such dependencies and do not update them, validators who apply the patch in a rolling manner will halt when they upgrade, and transfers processed by the middleware will just fail once everyone has upgraded.\n\nTo update these middlewares and avoid failing transfers or a chain halt, you will simply need to change the serialization approach in the middleware to use ibc-go\u0027s codec: `transfertypes.ModuleCdc.[Must]MarshalJSON`, rather than whatever you\u0027re doing today.  For example:\n\n```\nimport transfertypes \"github.com/cosmos/ibc-go/v10/modules/apps/transfer/types\"\ntransfertypes.ModuleCdc.[Must]MarshalJSON\nfunc MarshalAsIBCDoes(ack channeltypes.Acknowledgement) ([]byte, error) {\n\treturn transfertypes.ModuleCdc.MarshalJSON(\u0026ack)\n}\n```\nWhen you do make a change to the serialization approach, this will make the patch state breaking and you will need a coordinated upgrade. So for absolute clarity: chains with these ack-serializing middlewares must do coordinated upgrades\n\n#### Why we retracted the earlier patch in favor of this approach\nWe retracted the releases of ibc-go we cut earlier today because these broke all transfer middlewares that deserialized then re-serialized receive packets differently than the transfer app. It turned out that this was a common pattern (unlike serializing/deserializing ack packets), so widely used middlewares, including packet-forward-middleware, broke unexpectedly.\n\nIn the new set of patches, we removed this constraint on how middlewares serialize receive packets, preventing this breakage. Only the serialization requirement on acknowledgement packets remains. This is convenient because this is the only constraint we had to add to fix the vulnerability, and middlewares that deserialize and serialize ack packets are much less common than ones that do so for receive packets. The constraint on receive packets was added for defense in depth.\n\n#### Testing we have done to gain more confidence in this release\n* In addition to testing ibc-go, we also did the following:\n* Tested pfm v7 and v8 after bumping dependencies\n* Tested ibc-hooks v7 and v8 after bumping dependencies\n* Ran a patched node on mainnet on the cosmos hub and triggered failing and successful transactions that used PFM\n* Ran a patched node on osmosis and triggered failing and successful transactions that used ibc-hooks\nThis is a more thorough process than before, so we have higher confidence.\n\n### Timeline\n\n* February 18, 2025, 4:54am PST: Issue reported to the Cosmos Bug Bounty program\n* February 18, 2025, 6:56am PST: Issue triaged by Amulet on-call, and distributed to Core team\n* February 18, 2025, 8:15am PST: Core team completes validation of issue\n* February 25, 2025, 8:00am PST / 17:00 CET: Pre-notification delivered\n* February 27, 2025, 8:00am PST / 17:00 CET: Patch made available\n* February 27, 2025, 1:00pm PST: Patch re-release made available\n\nThis issue was reported to the Cosmos Bug Bounty Program by swelf19 on HackerOne on February 18, 2025. If you believe you have found a bug in the Interchain Stack or would like to contribute to the program by reporting a bug, please see https://hackerone.com/cosmos.\n\nIf you have questions about Interchain security efforts, please reach out to our official communication channel at [security@interchain.io](mailto:security@interchain.io). For more information about the Interchain Foundation\u2019s engagement with Amulet, and to sign up for security notification emails, please see https://github.com/interchainio/security.  \n\nA Github Security Advisory for this issue is available in the IBC-Go [repository](https://github.com/cosmos/ibc-go/security/advisories/GHSA-jg6f-48ff-5xrw).",
  "id": "GHSA-jg6f-48ff-5xrw",
  "modified": "2025-02-28T17:46:04Z",
  "published": "2025-02-28T17:46:04Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/cosmos/ibc-go/security/advisories/GHSA-jg6f-48ff-5xrw"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cosmos/ibc-go/commit/59987d52d959dc5876ffd4f307c9b33a52a43748"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cosmos/ibc-go/commit/9869b3c6f7eb05a935b1eb33611c5406f68438a5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/cosmos/ibc-go"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "IBC-Go has Non-deterministic JSON Unmarshalling of IBC Acknowledgement"
}

GHSA-JGCW-5VW9-7W3C

Vulnerability from github – Published: 2022-05-24 19:15 – Updated: 2022-05-24 19:15
VLAI
Details

An issue was discovered in Concrete CMS through 8.5.5. Arbitrary File deletion can occur via PHAR deserialization in is_dir (PHP Object Injection associated with the __wakeup magic method).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-40102"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-09-24T15:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "An issue was discovered in Concrete CMS through 8.5.5. Arbitrary File deletion can occur via PHAR deserialization in is_dir (PHP Object Injection associated with the __wakeup magic method).",
  "id": "GHSA-jgcw-5vw9-7w3c",
  "modified": "2022-05-24T19:15:42Z",
  "published": "2022-05-24T19:15:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40102"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/921288"
    },
    {
      "type": "WEB",
      "url": "https://documentation.concretecms.org/developers/introduction/version-history/856-release-notes"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-JGJ7-CGHF-2WQ9

Vulnerability from github – Published: 2022-05-14 01:29 – Updated: 2022-05-14 01:29
VLAI
Details

In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could conduct PHP object injection attacks via crafted metadata in a wp.getMediaItem XMLRPC call. This is caused by mishandling of serialized data at phar:// URLs in the wp_get_attachment_thumb_file function in wp-includes/post.php.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-20148"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-12-14T20:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could conduct PHP object injection attacks via crafted metadata in a wp.getMediaItem XMLRPC call. This is caused by mishandling of serialized data at phar:// URLs in the wp_get_attachment_thumb_file function in wp-includes/post.php.",
  "id": "GHSA-jgj7-cghf-2wq9",
  "modified": "2022-05-14T01:29:39Z",
  "published": "2022-05-14T01:29:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20148"
    },
    {
      "type": "WEB",
      "url": "https://blog.secarma.co.uk/labs/near-phar-dangerous-unserialization-wherever-you-are"
    },
    {
      "type": "WEB",
      "url": "https://codex.wordpress.org/Version_4.9.9"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2019/02/msg00019.html"
    },
    {
      "type": "WEB",
      "url": "https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release"
    },
    {
      "type": "WEB",
      "url": "https://wordpress.org/support/wordpress-version/version-5-0-1"
    },
    {
      "type": "WEB",
      "url": "https://wpvulndb.com/vulnerabilities/9171"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2019/dsa-4401"
    },
    {
      "type": "WEB",
      "url": "https://www.zdnet.com/article/wordpress-plugs-bug-that-led-to-google-indexing-some-user-passwords"
    },
    {
      "type": "WEB",
      "url": "https://www.zdnet.com/article/wordpress-vulnerability-affects-a-third-of-most-popular-websites-online"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/106220"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JGWR-3QM3-26F3

Vulnerability from github – Published: 2021-03-19 20:11 – Updated: 2022-08-22 19:40
VLAI
Summary
Potential remote code execution in Apache Tomcat
Details

The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previously published prerequisites for CVE-2020-9484 and the previously published mitigations for CVE-2020-9484 also apply to this issue.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.tomcat.embed:tomcat-embed-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.0.0-M1"
            },
            {
              "fixed": "10.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.tomcat.embed:tomcat-embed-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.0.0"
            },
            {
              "fixed": "9.0.41"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.tomcat.embed:tomcat-embed-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0.0"
            },
            {
              "fixed": "8.5.61"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 7.0.107"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.tomcat.embed:tomcat-embed-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.0.0"
            },
            {
              "fixed": "7.0.108"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-25329"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-03-19T20:10:56Z",
    "nvd_published_at": "2021-03-01T12:15:00Z",
    "severity": "HIGH"
  },
  "details": "The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previously published prerequisites for CVE-2020-9484 and the previously published mitigations for CVE-2020-9484 also apply to this issue.",
  "id": "GHSA-jgwr-3qm3-26f3",
  "modified": "2022-08-22T19:40:41Z",
  "published": "2021-03-19T20:11:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25329"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/tomcat/commit/6d66e99ef85da93e4d2c2a536ca51aa3418bfaf4"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2021/dsa-4891"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20210409-0002"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202208-34"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00018.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf@%3Cusers.tomcat.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf@%3Cdev.tomcat.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf@%3Cannounce.tomcat.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf@%3Cannounce.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3Cannounce.tomcat.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rf6d5d57b114678d8898005faef31e9fd6d7c981fcc4ccfc3bc272fc9@%3Cdev.tomcat.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rb51ccd58b2152fc75125b2406fc93e04ca9d34e737263faa6ff0f41f@%3Cusers.tomcat.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r8a2ac0e476dbfc1e6440b09dcc782d444ad635d6da26f0284725a5dc@%3Cusers.tomcat.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r732b2ca289dc02df2de820e8775559abd6c207f159e39f559547a085@%3Cusers.tomcat.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r11ce01e8a4c7269b88f88212f21830edf73558997ac7744f37769b77@%3Cusers.tomcat.apache.org%3E"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/tomcat"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2021/03/01/2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Potential remote code execution in Apache Tomcat"
}

GHSA-JGXC-8MWQ-9XQW

Vulnerability from github – Published: 2024-01-22 06:30 – Updated: 2025-11-04 00:30
VLAI
Summary
Clojure classes can be used to craft a serialized object that runs arbitrary code on deserialization
Details

In Clojure before 1.9.0, classes can be used to construct a serialized object that executes arbitrary code upon deserialization. This is relevant if a server deserializes untrusted objects.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.clojure:clojure"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2017-20189"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-22T21:25:51Z",
    "nvd_published_at": "2024-01-22T06:15:07Z",
    "severity": "CRITICAL"
  },
  "details": "In Clojure before 1.9.0, classes can be used to construct a serialized object that executes arbitrary code upon deserialization. This is relevant if a server deserializes untrusted objects.",
  "id": "GHSA-jgxc-8mwq-9xqw",
  "modified": "2025-11-04T00:30:44Z",
  "published": "2024-01-22T06:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-20189"
    },
    {
      "type": "WEB",
      "url": "https://github.com/frohoff/ysoserial/pull/68/files"
    },
    {
      "type": "WEB",
      "url": "https://github.com/clojure/clojure/commit/271674c9b484d798484d134a5ac40a6df15d3ac3"
    },
    {
      "type": "WEB",
      "url": "https://clojure.atlassian.net/browse/CLJ-2204"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/clojure/clojure"
    },
    {
      "type": "WEB",
      "url": "https://groups.google.com/d/msg/clojure/WaL3hHzsevI/7zHU-L7LBQAJ"
    },
    {
      "type": "WEB",
      "url": "https://hackmd.io/%40fe1w0/HyefvRQKp"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20241108-0002"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGCLOJURE-5740378"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Clojure classes can be used to craft a serialized object that runs arbitrary code on deserialization"
}

GHSA-JH46-RMG6-R59W

Vulnerability from github – Published: 2023-10-31 06:30 – Updated: 2023-11-08 18:30
VLAI
Details

Thorn SFTP gateway 3.4.x before 3.4.4 uses Pivotal Spring Framework for Java deserialization of untrusted data, which is not supported by Pivotal, a related issue to CVE-2016-1000027. Also, within the specific context of Thorn SFTP gateway, this leads to remote code execution.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-47174"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-10-31T04:15:11Z",
    "severity": "CRITICAL"
  },
  "details": "Thorn SFTP gateway 3.4.x before 3.4.4 uses Pivotal Spring Framework for Java deserialization of untrusted data, which is not supported by Pivotal, a related issue to CVE-2016-1000027. Also, within the specific context of Thorn SFTP gateway, this leads to remote code execution.",
  "id": "GHSA-jh46-rmg6-r59w",
  "modified": "2023-11-08T18:30:30Z",
  "published": "2023-10-31T06:30:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47174"
    },
    {
      "type": "WEB",
      "url": "https://help.thorntech.com/docs/sftp-gateway-gcp-3.0/gcp-java-deserialization-rce"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JH5G-9M4V-9VV9

Vulnerability from github – Published: 2022-01-28 22:24 – Updated: 2023-09-11 22:18
VLAI
Summary
Insecure Java Deserialization in Apache Karaf
Details

Apache Karaf allows monitoring of applications and the Java runtime by using the Java Management Extensions (JMX). JMX is a Java RMI based technology that relies on Java serialized objects for client server communication. Whereas the default JMX implementation is hardened against unauthenticated deserialization attacks, the implementation used by Apache Karaf is not protected against this kind of attack. The impact of Java deserialization vulnerabilities strongly depends on the classes that are available within the targets class path. Generally speaking, deserialization of untrusted data does always represent a high security risk and should be prevented. The risk is low as, by default, Karaf uses a limited set of classes in the JMX server class path. It depends of system scoped classes (e.g. jar in the lib folder).

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.karaf.management:org.apache.karaf.management.server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.3.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-41766"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-01-27T23:08:06Z",
    "nvd_published_at": "2022-01-26T11:15:00Z",
    "severity": "HIGH"
  },
  "details": "Apache Karaf allows monitoring of applications and the Java runtime by using the Java Management Extensions (JMX). JMX is a Java RMI based technology that relies on Java serialized objects for client server communication. Whereas the default JMX implementation is hardened against unauthenticated deserialization attacks, the implementation used by Apache Karaf is not protected against this kind of attack. The impact of Java deserialization vulnerabilities strongly depends on the classes that are available within the targets class path. Generally speaking, deserialization of untrusted data does always represent a high security risk and should be prevented. The risk is low as, by default, Karaf uses a limited set of classes in the JMX server class path. It depends of system scoped classes (e.g. jar in the lib folder).",
  "id": "GHSA-jh5g-9m4v-9vv9",
  "modified": "2023-09-11T22:18:57Z",
  "published": "2022-01-28T22:24:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41766"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/karaf/pull/1475"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/karaf/commit/b42c82ca3b9a22bd92d249a1060a1953f4188bc2"
    },
    {
      "type": "WEB",
      "url": "https://gitbox.apache.org/repos/asf?p=karaf.git;h=93a019c"
    },
    {
      "type": "WEB",
      "url": "https://gitbox.apache.org/repos/asf?p=karaf.git;h=b42c82c"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/karaf"
    },
    {
      "type": "WEB",
      "url": "https://issues.apache.org/jira/browse/KARAF-7312"
    },
    {
      "type": "WEB",
      "url": "https://karaf.apache.org/security/cve-2021-41766.txt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Insecure Java Deserialization in Apache Karaf"
}

Mitigation
Architecture and Design Implementation

If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.

Mitigation
Implementation

When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.

Mitigation
Implementation

Explicitly define a final object() to prevent deserialization.

Mitigation
Architecture and Design Implementation
  • Make fields transient to protect them from deserialization.
  • An attempt to serialize and then deserialize a class containing transient fields will result in NULLs where the transient data should be. This is an excellent way to prevent time, environment-based, or sensitive variables from being carried over and used improperly.
Mitigation
Implementation

Avoid having unnecessary types or gadgets (a sequence of instances and method invocations that can self-execute during the deserialization process, often found in libraries) available that can be leveraged for malicious ends. This limits the potential for unintended or unauthorized types and gadgets to be leveraged by the attacker. Add only acceptable classes to an allowlist. Note: new gadgets are constantly being discovered, so this alone is not a sufficient mitigation.

Mitigation
Architecture and Design Implementation

Employ cryptography of the data or code for protection. However, it's important to note that it would still be client-side security. This is risky because if the client is compromised then the security implemented on the client (the cryptography) can be bypassed.

Mitigation MIT-29
Operation

Strategy: Firewall

Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].

CAPEC-586: Object Injection

An adversary attempts to exploit an application by injecting additional, malicious content during its processing of serialized objects. Developers leverage serialization in order to convert data or state into a static, binary format for saving to disk or transferring over a network. These objects are then deserialized when needed to recover the data/state. By injecting a malformed object into a vulnerable application, an adversary can potentially compromise the application by manipulating the deserialization process. This can result in a number of unwanted outcomes, including remote code execution.