CWE-502
AllowedDeserialization of Untrusted Data
Abstraction: Base · Status: Draft
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
4797 vulnerabilities reference this CWE, most recent first.
GHSA-56P8-3FH9-4CVQ
Vulnerability from github – Published: 2021-03-22 23:29 – Updated: 2022-02-08 21:32Impact
The vulnerability may allow a remote attacker to occupy a thread that consumes maximum CPU time and will never return. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.
Patches
If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
Workarounds
See workarounds for the different versions covering all CVEs.
References
See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for CVE-2021-21348.
Credits
The vulnerability was discovered and reported by threedr3am.
For more information
If you have any questions or comments about this advisory: * Open an issue in XStream * Contact us at XStream Google Group
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.thoughtworks.xstream:xstream"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.4.16"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-21348"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-502"
],
"github_reviewed": true,
"github_reviewed_at": "2021-03-22T23:25:49Z",
"nvd_published_at": "2021-03-23T00:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\nThe vulnerability may allow a remote attacker to occupy a thread that consumes maximum CPU time and will never return. No user is affected, who followed the recommendation to setup XStream\u0027s security framework with a whitelist limited to the minimal required types.\n\n### Patches\nIf you rely on XStream\u0027s default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.16.\n\n### Workarounds\nSee [workarounds](https://x-stream.github.io/security.html#workaround) for the different versions covering all CVEs.\n\n### References\nSee full information about the nature of the vulnerability and the steps to reproduce it in XStream\u0027s documentation for [CVE-2021-21348](https://x-stream.github.io/CVE-2021-21348.html).\n\n### Credits\nThe vulnerability was discovered and reported by threedr3am.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [XStream](https://github.com/x-stream/xstream/issues)\n* Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user)",
"id": "GHSA-56p8-3fh9-4cvq",
"modified": "2022-02-08T21:32:10Z",
"published": "2021-03-22T23:29:09Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/x-stream/xstream/security/advisories/GHSA-56p8-3fh9-4cvq"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21348"
},
{
"type": "PACKAGE",
"url": "https://github.com/x-stream/xstream"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20210430-0002"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2021/dsa-5004"
},
{
"type": "WEB",
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"type": "WEB",
"url": "https://x-stream.github.io/CVE-2021-21348.html"
},
{
"type": "WEB",
"url": "https://x-stream.github.io/security.html#workaround"
},
{
"type": "WEB",
"url": "http://x-stream.github.io/changes.html#1.4.16"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "XStream is vulnerable to an attack using Regular Expression for a Denial of Service (ReDos)"
}
GHSA-577G-XXRF-8J42
Vulnerability from github – Published: 2026-04-14 18:30 – Updated: 2026-04-14 18:30Adobe Connect versions 2025.3, 12.10 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.
{
"affected": [],
"aliases": [
"CVE-2026-34615"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-14T18:17:36Z",
"severity": "CRITICAL"
},
"details": "Adobe Connect versions 2025.3, 12.10 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.",
"id": "GHSA-577g-xxrf-8j42",
"modified": "2026-04-14T18:30:43Z",
"published": "2026-04-14T18:30:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34615"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/connect/apsb26-37.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-577P-7J7H-2JGF
Vulnerability from github – Published: 2024-11-15 12:31 – Updated: 2024-11-18 21:23DomPDF before version 2.0.0 is vulnerable to PHAR (PHP Archive) deserialization due to a lack of checking on the protocol before passing it into the file_get_contents() function. An attacker who can upload files of any type to the server can pass in the phar:// protocol to unserialize the uploaded file and instantiate arbitrary PHP objects. This can lead to remote code execution, especially when DOMPdf is used with frameworks with documented POP chains like Laravel or vulnerable developer code.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "dompdf/dompdf"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-3838"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": true,
"github_reviewed_at": "2024-11-15T20:36:04Z",
"nvd_published_at": "2024-11-15T11:15:05Z",
"severity": "CRITICAL"
},
"details": "DomPDF before version 2.0.0 is vulnerable to PHAR (PHP Archive) deserialization due to a lack of checking on the protocol before passing it into the file_get_contents() function. An attacker who can upload files of any type to the server can pass in the phar:// protocol to unserialize the uploaded file and instantiate arbitrary PHP objects. This can lead to remote code execution, especially when DOMPdf is used with frameworks with documented POP chains like Laravel or vulnerable developer code.",
"id": "GHSA-577p-7j7h-2jgf",
"modified": "2024-11-18T21:23:08Z",
"published": "2024-11-15T12:31:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3838"
},
{
"type": "WEB",
"url": "https://github.com/dompdf/dompdf/commit/99aeec1efec9213e87098d42eb09439e7ee0bb6a"
},
{
"type": "PACKAGE",
"url": "https://github.com/dompdf/dompdf"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/0bdddc12-ff67-4815-ab9f-6011a974f48e"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Deserialization of Untrusted Data in dompdf/dompdf"
}
GHSA-579Q-H82J-R5V2
Vulnerability from github – Published: 2026-03-26 16:45 – Updated: 2026-06-09 11:52In versions of dd-trace-java prior to 1.60.3, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. On JDK version 16 and earlier, an attacker with network access to a JMX or RMI port on an instrumented JVM could exploit this to potentially achieve remote code execution. All three of the following conditions must be true to exploit this vulnerability:
1. dd-trace-java is attached as a Java agent (-javaagent) on Java 16 or earlier
2. A JMX/RMI port has been explicitly configured via -Dcom.sun.management.jmxremote.port and is network-reachable
3. A gadget-chain-compatible library is present on the classpath
Impact
Arbitrary remote code execution with the privileges of the user running the instrumented JVM.
Recommendation
- For JDK >= 17: No action is required, but upgrading is strongly encouraged.
- For JDK >= 8u121 < JDK 17: Upgrade to dd-trace-java version 1.60.3 or later.
- For JDK < 8u121 and earlier where serialization filters are not available, apply the workaround described below.
Workarounds
Set the following environment variable to disable the RMI integration: DD_INTEGRATION_RMI_ENABLED=false
Credits
This vulnerability was responsibly disclosed by Mohamed Amine ait Ouchebou (mrecho) (Indiesecurity) via the Datadog bug bounty program.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.datadoghq:dd-java-agent"
},
"ranges": [
{
"events": [
{
"introduced": "0.40.0"
},
{
"fixed": "1.60.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33728"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-26T16:45:41Z",
"nvd_published_at": "2026-03-27T01:16:20Z",
"severity": "CRITICAL"
},
"details": "In versions of dd-trace-java prior to 1.60.3, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. On JDK version 16 and earlier, an attacker with network access to a JMX or RMI port on an instrumented JVM could exploit this to potentially achieve remote code execution.\u00a0All three of the following conditions must be true to exploit this vulnerability:\n1. dd-trace-java is attached as a Java agent (`-javaagent`) on Java 16 or earlier\n2. A JMX/RMI port has been explicitly configured via `-Dcom.sun.management.jmxremote.port` and is network-reachable\n3. A gadget-chain-compatible library is present on the classpath\n\n### Impact\nArbitrary remote code execution with the privileges of the user running the instrumented JVM.\n\n### Recommendation\n- For JDK \u003e= 17: No action is required, but upgrading is strongly encouraged.\n- For JDK \u003e= 8u121 \u003c JDK 17: Upgrade to dd-trace-java version 1.60.3 or later.\n- For JDK \u003c 8u121 and earlier where serialization filters are not available, apply the workaround described below.\n\n### Workarounds\nSet the following environment variable to disable the RMI integration: `DD_INTEGRATION_RMI_ENABLED=false`\n\n### Credits\nThis vulnerability was responsibly disclosed by Mohamed Amine ait Ouchebou (mrecho) (Indiesecurity) via the Datadog bug bounty program.",
"id": "GHSA-579q-h82j-r5v2",
"modified": "2026-06-09T11:52:29Z",
"published": "2026-03-26T16:45:41Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/DataDog/dd-trace-java/security/advisories/GHSA-579q-h82j-r5v2"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33728"
},
{
"type": "PACKAGE",
"url": "https://github.com/DataDog/dd-trace-java"
},
{
"type": "WEB",
"url": "https://github.com/DataDog/dd-trace-java/releases/tag/v1.60.3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "dd-trace-java: Unsafe deserialization in RMI instrumentation may lead to remote code execution"
}
GHSA-57G8-267X-FFC8
Vulnerability from github – Published: 2025-12-10 18:30 – Updated: 2025-12-23 15:30Barracuda Service Center, as implemented in the RMM solution, in versions prior to 2025.1.1, exposes a .NET Remoting service that is insufficiently protected against deserialization of arbitrary types. This can lead to remote code execution.
{
"affected": [],
"aliases": [
"CVE-2025-34394"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-10T16:16:24Z",
"severity": "CRITICAL"
},
"details": "Barracuda Service Center, as implemented in the RMM solution, in versions prior to 2025.1.1, exposes a .NET Remoting service that is insufficiently protected against deserialization of arbitrary types. This can lead to remote code execution.",
"id": "GHSA-57g8-267x-ffc8",
"modified": "2025-12-23T15:30:29Z",
"published": "2025-12-10T18:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-34394"
},
{
"type": "WEB",
"url": "https://download.mw-rmm.barracudamsp.com/PDF/2025.1.1/RN_BRMM_2025.1.1_EN.pdf"
},
{
"type": "WEB",
"url": "https://www.barracuda.com/products/msp/network-protection/rmm"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/barracuda-rmm-service-center-net-remoting-deserialization-rce"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-57HM-8RJV-498W
Vulnerability from github – Published: 2025-09-25 15:30 – Updated: 2025-09-25 16:53A vulnerability was determined in geyang ml-logger 0.10.36 and prior. Affected is the function log_handler of the file ml_logger/server.py of the component Ping Handler. This manipulation of the argument data causes deserialization. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "ml-logger"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.10.36"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-10950"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-502"
],
"github_reviewed": true,
"github_reviewed_at": "2025-09-25T16:53:45Z",
"nvd_published_at": "2025-09-25T15:16:10Z",
"severity": "LOW"
},
"details": "A vulnerability was determined in geyang ml-logger 0.10.36 and prior. Affected is the function log_handler of the file ml_logger/server.py of the component Ping Handler. This manipulation of the argument data causes deserialization. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available.",
"id": "GHSA-57hm-8rjv-498w",
"modified": "2025-09-25T16:53:45Z",
"published": "2025-09-25T15:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10950"
},
{
"type": "WEB",
"url": "https://github.com/geyang/ml-logger/issues/72"
},
{
"type": "PACKAGE",
"url": "https://github.com/geyang/ml-logger"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.325820"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.325820"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.652461"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "ml-logger deserialization vulnerability"
}
GHSA-57JW-5H75-6JP7
Vulnerability from github – Published: 2025-05-07 15:31 – Updated: 2026-04-01 18:35Deserialization of Untrusted Data vulnerability in Florent Maillefaud WP Maintenance allows Object Injection. This issue affects WP Maintenance: from n/a through 6.1.9.7.
{
"affected": [],
"aliases": [
"CVE-2025-47683"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-07T15:16:20Z",
"severity": "HIGH"
},
"details": "Deserialization of Untrusted Data vulnerability in Florent Maillefaud WP Maintenance allows Object Injection. This issue affects WP Maintenance: from n/a through 6.1.9.7.",
"id": "GHSA-57jw-5h75-6jp7",
"modified": "2026-04-01T18:35:04Z",
"published": "2025-05-07T15:31:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47683"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/wp-maintenance/vulnerability/wordpress-wp-maintenance-6-1-9-7-php-object-injection-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-57MF-V9W2-F657
Vulnerability from github – Published: 2025-10-22 15:31 – Updated: 2026-01-20 15:31Deserialization of Untrusted Data vulnerability in BoldThemes Goldenblatt goldenblatt allows Object Injection.This issue affects Goldenblatt: from n/a through <= 1.2.1.
{
"affected": [],
"aliases": [
"CVE-2025-60214"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-22T15:15:58Z",
"severity": "CRITICAL"
},
"details": "Deserialization of Untrusted Data vulnerability in BoldThemes Goldenblatt goldenblatt allows Object Injection.This issue affects Goldenblatt: from n/a through \u003c= 1.2.1.",
"id": "GHSA-57mf-v9w2-f657",
"modified": "2026-01-20T15:31:30Z",
"published": "2025-10-22T15:31:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-60214"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Theme/goldenblatt/vulnerability/wordpress-goldenblatt-theme-1-2-1-php-object-injection-vulnerability?_s_id=cve"
},
{
"type": "WEB",
"url": "https://vdp.patchstack.com/database/Wordpress/Theme/goldenblatt/vulnerability/wordpress-goldenblatt-theme-1-2-1-php-object-injection-vulnerability"
},
{
"type": "WEB",
"url": "https://vdp.patchstack.com/database/Wordpress/Theme/goldenblatt/vulnerability/wordpress-goldenblatt-theme-1-2-1-php-object-injection-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-57QC-Q8RC-W8H7
Vulnerability from github – Published: 2024-11-12 15:30 – Updated: 2024-11-12 15:30A vulnerability has been identified in PP TeleControl Server Basic 1000 to 5000 V3.1 (6NH9910-0AA31-0AE1) (All versions < V3.1.2.1 with redundancy configured), PP TeleControl Server Basic 256 to 1000 V3.1 (6NH9910-0AA31-0AD1) (All versions < V3.1.2.1 with redundancy configured), PP TeleControl Server Basic 32 to 64 V3.1 (6NH9910-0AA31-0AF1) (All versions < V3.1.2.1 with redundancy configured), PP TeleControl Server Basic 64 to 256 V3.1 (6NH9910-0AA31-0AC1) (All versions < V3.1.2.1 with redundancy configured), PP TeleControl Server Basic 8 to 32 V3.1 (6NH9910-0AA31-0AB1) (All versions < V3.1.2.1 with redundancy configured), TeleControl Server Basic 1000 V3.1 (6NH9910-0AA31-0AD0) (All versions < V3.1.2.1 with redundancy configured), TeleControl Server Basic 256 V3.1 (6NH9910-0AA31-0AC0) (All versions < V3.1.2.1 with redundancy configured), TeleControl Server Basic 32 V3.1 (6NH9910-0AA31-0AF0) (All versions < V3.1.2.1 with redundancy configured), TeleControl Server Basic 5000 V3.1 (6NH9910-0AA31-0AE0) (All versions < V3.1.2.1 with redundancy configured), TeleControl Server Basic 64 V3.1 (6NH9910-0AA31-0AB0) (All versions < V3.1.2.1 with redundancy configured), TeleControl Server Basic 8 V3.1 (6NH9910-0AA31-0AA0) (All versions < V3.1.2.1 with redundancy configured), TeleControl Server Basic Serv Upgr (6NH9910-0AA31-0GA1) (All versions < V3.1.2.1 with redundancy configured), TeleControl Server Basic Upgr V3.1 (6NH9910-0AA31-0GA0) (All versions < V3.1.2.1 with redundancy configured). The affected system allows remote users to send maliciously crafted objects. Due to insecure deserialization of user-supplied content by the affected software, an unauthenticated attacker could exploit this vulnerability by sending a maliciously crafted serialized object. This could allow the attacker to execute arbitrary code on the device with SYSTEM privileges.
{
"affected": [],
"aliases": [
"CVE-2024-44102"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-12T13:15:08Z",
"severity": "CRITICAL"
},
"details": "A vulnerability has been identified in PP TeleControl Server Basic 1000 to 5000 V3.1 (6NH9910-0AA31-0AE1) (All versions \u003c V3.1.2.1 with redundancy configured), PP TeleControl Server Basic 256 to 1000 V3.1 (6NH9910-0AA31-0AD1) (All versions \u003c V3.1.2.1 with redundancy configured), PP TeleControl Server Basic 32 to 64 V3.1 (6NH9910-0AA31-0AF1) (All versions \u003c V3.1.2.1 with redundancy configured), PP TeleControl Server Basic 64 to 256 V3.1 (6NH9910-0AA31-0AC1) (All versions \u003c V3.1.2.1 with redundancy configured), PP TeleControl Server Basic 8 to 32 V3.1 (6NH9910-0AA31-0AB1) (All versions \u003c V3.1.2.1 with redundancy configured), TeleControl Server Basic 1000 V3.1 (6NH9910-0AA31-0AD0) (All versions \u003c V3.1.2.1 with redundancy configured), TeleControl Server Basic 256 V3.1 (6NH9910-0AA31-0AC0) (All versions \u003c V3.1.2.1 with redundancy configured), TeleControl Server Basic 32 V3.1 (6NH9910-0AA31-0AF0) (All versions \u003c V3.1.2.1 with redundancy configured), TeleControl Server Basic 5000 V3.1 (6NH9910-0AA31-0AE0) (All versions \u003c V3.1.2.1 with redundancy configured), TeleControl Server Basic 64 V3.1 (6NH9910-0AA31-0AB0) (All versions \u003c V3.1.2.1 with redundancy configured), TeleControl Server Basic 8 V3.1 (6NH9910-0AA31-0AA0) (All versions \u003c V3.1.2.1 with redundancy configured), TeleControl Server Basic Serv Upgr (6NH9910-0AA31-0GA1) (All versions \u003c V3.1.2.1 with redundancy configured), TeleControl Server Basic Upgr V3.1 (6NH9910-0AA31-0GA0) (All versions \u003c V3.1.2.1 with redundancy configured). The affected system allows remote users to send maliciously crafted objects. Due to insecure deserialization of user-supplied content by the affected software, an unauthenticated attacker could exploit this vulnerability by sending a maliciously crafted serialized object. This could allow the attacker to execute arbitrary code on the device with SYSTEM privileges.",
"id": "GHSA-57qc-q8rc-w8h7",
"modified": "2024-11-12T15:30:42Z",
"published": "2024-11-12T15:30:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44102"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-454789.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-57R3-2PRP-V2XH
Vulnerability from github – Published: 2025-01-23 12:32 – Updated: 2025-10-22 00:33Pre-authentication deserialization of untrusted data vulnerability has been identified in the SMA1000 Appliance Management Console (AMC) and Central Management Console (CMC), which in specific conditions could potentially enable a remote unauthenticated attacker to execute arbitrary OS commands.
{
"affected": [],
"aliases": [
"CVE-2025-23006"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-23T12:15:28Z",
"severity": "CRITICAL"
},
"details": "Pre-authentication deserialization of untrusted data vulnerability has been identified in the SMA1000 Appliance Management Console (AMC) and Central Management Console (CMC), which in specific conditions could potentially enable a remote unauthenticated attacker to execute arbitrary OS commands.",
"id": "GHSA-57r3-2prp-v2xh",
"modified": "2025-10-22T00:33:12Z",
"published": "2025-01-23T12:32:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-23006"
},
{
"type": "WEB",
"url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0002"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-23006"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
Mitigation
When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.
Mitigation
Explicitly define a final object() to prevent deserialization.
Mitigation
- Make fields transient to protect them from deserialization.
- An attempt to serialize and then deserialize a class containing transient fields will result in NULLs where the transient data should be. This is an excellent way to prevent time, environment-based, or sensitive variables from being carried over and used improperly.
Mitigation
Avoid having unnecessary types or gadgets (a sequence of instances and method invocations that can self-execute during the deserialization process, often found in libraries) available that can be leveraged for malicious ends. This limits the potential for unintended or unauthorized types and gadgets to be leveraged by the attacker. Add only acceptable classes to an allowlist. Note: new gadgets are constantly being discovered, so this alone is not a sufficient mitigation.
Mitigation
Employ cryptography of the data or code for protection. However, it's important to note that it would still be client-side security. This is risky because if the client is compromised then the security implemented on the client (the cryptography) can be bypassed.
Mitigation MIT-29
Strategy: Firewall
Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].
CAPEC-586: Object Injection
An adversary attempts to exploit an application by injecting additional, malicious content during its processing of serialized objects. Developers leverage serialization in order to convert data or state into a static, binary format for saving to disk or transferring over a network. These objects are then deserialized when needed to recover the data/state. By injecting a malformed object into a vulnerable application, an adversary can potentially compromise the application by manipulating the deserialization process. This can result in a number of unwanted outcomes, including remote code execution.