CWE-502
AllowedDeserialization of Untrusted Data
Abstraction: Base · Status: Draft
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
4798 vulnerabilities reference this CWE, most recent first.
GHSA-5VW7-W2WW-JCFQ
Vulnerability from github – Published: 2026-05-08 09:31 – Updated: 2026-05-09 00:31Netgate pfSense CE 2.7.2 allows code execution by using the module installer with a backup file with a serialized PHP object containing the post_reboot_commands property. NOTE: the Supplier disputes this because this installer is only available to admins and they are intentionally allowed to execute PHP code.
{
"affected": [],
"aliases": [
"CVE-2025-69690"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-08T07:16:28Z",
"severity": "CRITICAL"
},
"details": "Netgate pfSense CE 2.7.2 allows code execution by using the module installer with a backup file with a serialized PHP object containing the post_reboot_commands property. NOTE: the Supplier disputes this because this installer is only available to admins and they are intentionally allowed to execute PHP code.",
"id": "GHSA-5vw7-w2ww-jcfq",
"modified": "2026-05-09T00:31:53Z",
"published": "2026-05-08T09:31:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69690"
},
{
"type": "WEB",
"url": "https://seclists.org/fulldisclosure/2026/Feb/16"
},
{
"type": "WEB",
"url": "https://www.linkedin.com/in/nelson-adhepeau"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5VXH-CM9F-9J4R
Vulnerability from github – Published: 2025-09-22 21:30 – Updated: 2025-09-22 21:30A vulnerability was determined in jeecgboot JimuReport up to 2.1.2. Affected is an unknown function of the file /drag/onlDragDataSource/testConnection of the component DB2 JDBC Handler. Executing manipulation of the argument clientRerouteServerListJNDIName can lead to deserialization. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized.
{
"affected": [],
"aliases": [
"CVE-2025-10771"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-21T23:15:35Z",
"severity": "MODERATE"
},
"details": "A vulnerability was determined in jeecgboot JimuReport up to 2.1.2. Affected is an unknown function of the file /drag/onlDragDataSource/testConnection of the component DB2 JDBC Handler. Executing manipulation of the argument clientRerouteServerListJNDIName can lead to deserialization. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized.",
"id": "GHSA-5vxh-cm9f-9j4r",
"modified": "2025-09-22T21:30:20Z",
"published": "2025-09-22T21:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10771"
},
{
"type": "WEB",
"url": "https://github.com/jeecgboot/jimureport/issues/4117"
},
{
"type": "WEB",
"url": "https://github.com/jeecgboot/jimureport/issues/4117#issue-3391268438"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.325127"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.325127"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.649778"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-5VXQ-FV88-X9JQ
Vulnerability from github – Published: 2022-05-24 19:12 – Updated: 2022-05-24 19:12An unsafe deserialization vulnerability exists in the Engine.plugin ProfileInformation ProfileData functionality of CODESYS GmbH CODESYS Development System 3.5.16 and 3.5.17. A specially crafted file can lead to arbitrary command execution. An attacker can provide a malicious file to trigger this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2021-21869"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-25T19:15:00Z",
"severity": "HIGH"
},
"details": "An unsafe deserialization vulnerability exists in the Engine.plugin ProfileInformation ProfileData functionality of CODESYS GmbH CODESYS Development System 3.5.16 and 3.5.17. A specially crafted file can lead to arbitrary command execution. An attacker can provide a malicious file to trigger this vulnerability.",
"id": "GHSA-5vxq-fv88-x9jq",
"modified": "2022-05-24T19:12:10Z",
"published": "2022-05-24T19:12:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21869"
},
{
"type": "WEB",
"url": "https://customers.codesys.com/index.php?eID=dumpFile\u0026t=f\u0026f=16805\u0026token=ee583c498941d9fda86490bca98ff21928eec08a\u0026download="
},
{
"type": "WEB",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2021-1306"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5W3J-GWGH-4RFV
Vulnerability from github – Published: 2025-09-22 18:30 – Updated: 2025-09-22 21:09A deserialization vulnerability exists in h2oai/h2o-3 versions <= 3.46.0.7, allowing attackers to read arbitrary system files and execute arbitrary code. The vulnerability arises from improper handling of JDBC connection parameters, which can be exploited by bypassing regular expression checks and using double URL encoding. This issue impacts all users of the affected versions.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "ai.h2o:h2o-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "3.46.0.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "h2o"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "3.46.0.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-6544"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": true,
"github_reviewed_at": "2025-09-22T21:09:54Z",
"nvd_published_at": "2025-09-21T09:15:38Z",
"severity": "CRITICAL"
},
"details": "A deserialization vulnerability exists in h2oai/h2o-3 versions \u003c= 3.46.0.7, allowing attackers to read arbitrary system files and execute arbitrary code. The vulnerability arises from improper handling of JDBC connection parameters, which can be exploited by bypassing regular expression checks and using double URL encoding. This issue impacts all users of the affected versions.",
"id": "GHSA-5w3j-gwgh-4rfv",
"modified": "2025-09-22T21:09:54Z",
"published": "2025-09-22T18:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6544"
},
{
"type": "WEB",
"url": "https://github.com/h2oai/h2o-3/commit/0298ee348f5c73673b7b542158081e79605f5f25"
},
{
"type": "PACKAGE",
"url": "https://github.com/h2oai/h2o-3"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/53f35a0f-d644-4f82-93aa-89fe7e0aed40"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "H2O affected by a deserialization vulnerability"
}
GHSA-5W67-C6PV-HMPQ
Vulnerability from github – Published: 2026-02-20 18:31 – Updated: 2026-02-25 00:31Deserialization of Untrusted Data vulnerability in fuelthemes PeakShops peakshops allows Object Injection.This issue affects PeakShops: from n/a through <= 1.5.9.
{
"affected": [],
"aliases": [
"CVE-2025-69294"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-20T16:22:15Z",
"severity": "HIGH"
},
"details": "Deserialization of Untrusted Data vulnerability in fuelthemes PeakShops peakshops allows Object Injection.This issue affects PeakShops: from n/a through \u003c= 1.5.9.",
"id": "GHSA-5w67-c6pv-hmpq",
"modified": "2026-02-25T00:31:21Z",
"published": "2026-02-20T18:31:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69294"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Theme/peakshops/vulnerability/wordpress-peakshops-theme-1-5-9-php-object-injection-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5W76-2V5J-77R4
Vulnerability from github – Published: 2024-05-03 03:30 – Updated: 2024-05-03 03:30Inductive Automation Ignition ParameterVersionJavaSerializationCodec Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the ParameterVersionJavaSerializationCodec class. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-20290.
{
"affected": [],
"aliases": [
"CVE-2023-39475"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-03T03:15:13Z",
"severity": "CRITICAL"
},
"details": "Inductive Automation Ignition ParameterVersionJavaSerializationCodec Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the ParameterVersionJavaSerializationCodec class. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-20290.",
"id": "GHSA-5w76-2v5j-77r4",
"modified": "2024-05-03T03:30:56Z",
"published": "2024-05-03T03:30:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39475"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1047"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5WHJ-523X-6J68
Vulnerability from github – Published: 2022-05-14 01:00 – Updated: 2022-11-22 19:38The camel-hessian component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-serialisation vulnerability. De-serializing untrusted data can lead to security flaws.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.camel:camel-hessian"
},
"ranges": [
{
"events": [
{
"introduced": "2.0"
},
{
"fixed": "2.19.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.camel:camel-hessian"
},
"ranges": [
{
"events": [
{
"introduced": "2.20.0"
},
{
"fixed": "2.20.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.20.0"
]
}
],
"aliases": [
"CVE-2017-12633"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": true,
"github_reviewed_at": "2022-11-22T19:38:38Z",
"nvd_published_at": "2017-11-15T15:29:00Z",
"severity": "CRITICAL"
},
"details": "The camel-hessian component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-serialisation vulnerability. De-serializing untrusted data can lead to security flaws.",
"id": "GHSA-5whj-523x-6j68",
"modified": "2022-11-22T19:38:38Z",
"published": "2022-05-14T01:00:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12633"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:0319"
},
{
"type": "WEB",
"url": "https://issues.apache.org/jira/browse/CAMEL-11923"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf@%3Ccommits.camel.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d@%3Ccommits.camel.apache.org%3E"
},
{
"type": "WEB",
"url": "http://camel.apache.org/security-advisories.data/CVE-2017-12633.txt.asc"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/101874"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Apache Camel camel-hessian component vulnerable to Java object deserialization"
}
GHSA-5WR5-VXHH-X7GM
Vulnerability from github – Published: 2026-02-13 18:31 – Updated: 2026-04-14 00:31Hyland OnBase contains an unauthenticated .NET Remoting exposure in the OnBase Workflow Timer Service (Hyland.Core.Workflow.NTService.exe). An attacker who can reach the service can send crafted .NET Remoting requests to default HTTP channel endpoints on TCP/8900 (e.g., TimerServiceAPI.rem and TimerServiceEvents.rem for Workflow) to trigger unsafe object unmarshalling, enabling arbitrary file read/write. By writing attacker-controlled content into web-accessible locations or chaining with other OnBase features, this can lead to remote code execution. The same primitive can be abused by supplying a UNC path to coerce outbound NTLM authentication (SMB coercion) to an attacker-controlled host.
{
"affected": [],
"aliases": [
"CVE-2026-26221"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-13T16:16:11Z",
"severity": "CRITICAL"
},
"details": "Hyland OnBase contains an unauthenticated .NET Remoting exposure in the OnBase Workflow Timer Service (Hyland.Core.Workflow.NTService.exe). An attacker who can reach the service can send crafted .NET Remoting requests to default HTTP channel endpoints on TCP/8900 (e.g., TimerServiceAPI.rem and TimerServiceEvents.rem for Workflow) to trigger unsafe object unmarshalling, enabling arbitrary file read/write. By writing attacker-controlled content into web-accessible locations or chaining with other OnBase features, this can lead to remote code execution. The same primitive can be abused by supplying a UNC path to coerce outbound NTLM authentication (SMB coercion) to an attacker-controlled host.",
"id": "GHSA-5wr5-vxhh-x7gm",
"modified": "2026-04-14T00:31:11Z",
"published": "2026-02-13T18:31:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26221"
},
{
"type": "WEB",
"url": "https://community.hyland.com/resources/bulletins-and-notices/223223-security-update-onbase-workflow-timer-service-bulletin-ob2025-03"
},
{
"type": "WEB",
"url": "https://www.hyland.com/en/solutions/products/onbase"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/hyland-onbase-timer-services-unauthenticated-net-remoting-rce"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-5WVP-7F3H-6WMM
Vulnerability from github – Published: 2023-11-09 09:30 – Updated: 2024-10-21 20:52Deserialization of untrusted data in IPC and Parquet readers in PyArrow versions 0.14.0 to 14.0.0 allows arbitrary code execution. An application is vulnerable if it reads Arrow IPC, Feather or Parquet data from untrusted sources (for example user-supplied input files).
This vulnerability only affects PyArrow, not other Apache Arrow implementations or bindings.
It is recommended that users of PyArrow upgrade to 14.0.1. Similarly, it is recommended that downstream libraries upgrade their dependency requirements to PyArrow 14.0.1 or later. PyPI packages are already available, and we hope that conda-forge packages will be available soon.
If it is not possible to upgrade, maintainers provide a separate package pyarrow-hotfix that disables the vulnerability on older PyArrow versions. See https://pypi.org/project/pyarrow-hotfix/ for instructions.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "pyarrow"
},
"ranges": [
{
"events": [
{
"introduced": "0.14.0"
},
{
"fixed": "14.0.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-47248"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": true,
"github_reviewed_at": "2023-11-09T22:18:21Z",
"nvd_published_at": "2023-11-09T09:15:08Z",
"severity": "CRITICAL"
},
"details": "Deserialization of untrusted data in IPC and Parquet readers in PyArrow versions 0.14.0 to 14.0.0 allows arbitrary code execution. An application is vulnerable if it reads Arrow IPC, Feather or Parquet data from untrusted sources (for example user-supplied input files).\n\nThis vulnerability only affects PyArrow, not other Apache Arrow implementations or bindings.\n\nIt is recommended that users of PyArrow upgrade to 14.0.1. Similarly, it is recommended that downstream libraries upgrade their dependency requirements to PyArrow 14.0.1 or later. PyPI packages are already available, and we hope that conda-forge packages will be available soon.\n\nIf it is not possible to upgrade, maintainers provide a separate package `pyarrow-hotfix` that disables the vulnerability on older PyArrow versions. See https://pypi.org/project/pyarrow-hotfix/ for instructions.",
"id": "GHSA-5wvp-7f3h-6wmm",
"modified": "2024-10-21T20:52:56Z",
"published": "2023-11-09T09:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47248"
},
{
"type": "WEB",
"url": "https://github.com/apache/arrow/commit/f14170976372436ec1d03a724d8d3f3925484ecf"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-5wvp-7f3h-6wmm"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/arrow"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/pyarrow/PYSEC-2023-238.yaml"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/yhy7tdfjf9hrl9vfrtzo8p2cyjq87v7n"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FR34AIPXVTMB3XPRU5ULV5HHWPMRE33X"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MAGWEAJDWO2ACYATUQCPXLSYY5C3L3XU"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MWFYXLVBTBHNKYRXI572RFX7IJDDQGBL"
},
{
"type": "WEB",
"url": "https://pypi.org/project/pyarrow-hotfix"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-47248"
},
{
"type": "WEB",
"url": "https://www.openwall.com/lists/oss-security/2023/11/08/7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "PyArrow: Arbitrary code execution when loading a malicious data file"
}
GHSA-5WW9-J83M-Q7QX
Vulnerability from github – Published: 2019-05-23 09:32 – Updated: 2024-03-15 01:06A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.fasterxml.jackson.core:jackson-databind"
},
"ranges": [
{
"events": [
{
"introduced": "2.9.0"
},
{
"fixed": "2.9.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.fasterxml.jackson.core:jackson-databind"
},
"ranges": [
{
"events": [
{
"introduced": "2.8.0"
},
{
"fixed": "2.8.11.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.fasterxml.jackson.core:jackson-databind"
},
"ranges": [
{
"events": [
{
"introduced": "2.7.0"
},
{
"fixed": "2.7.9.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.fasterxml.jackson.core:jackson-databind"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.6.7.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-12086"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": true,
"github_reviewed_at": "2019-05-22T04:34:56Z",
"nvd_published_at": "2019-05-17T17:29:00Z",
"severity": "HIGH"
},
"details": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation.",
"id": "GHSA-5ww9-j83m-q7qx",
"modified": "2024-03-15T01:06:41Z",
"published": "2019-05-23T09:32:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12086"
},
{
"type": "WEB",
"url": "https://github.com/FasterXML/jackson-databind/issues/2326"
},
{
"type": "WEB",
"url": "https://github.com/FasterXML/jackson-databind/commit/efc3c0d02f4743dbaa6d1b9c466772a2f13d966b"
},
{
"type": "WEB",
"url": "https://github.com/FasterXML/jackson-databind/commit/dda513bd7251b4f32b7b60b1c13740e3b5a43024"
},
{
"type": "WEB",
"url": "https://github.com/FasterXML/jackson-databind/commit/d30f036208ab1c60bd5ce429cb4f7f1a3e5682e8"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rda99599896c3667f2cc9e9d34c7b6ef5d2bbed1f4801e1d75a2b0679@%3Ccommits.nifi.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2019/05/msg00030.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OVRZDN2T6AZ6DJCZJ3VSIQIVHBVMVWBL"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TXRVXNRFHJSQWFHPRJQRI5UPMZ63B544"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UKUALE2TUCKEKOHE2D342PQXN4MWCSLC"
},
{
"type": "WEB",
"url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
},
{
"type": "WEB",
"url": "https://seclists.org/bugtraq/2019/May/68"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20190530-0003"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20200227030031/http://www.securityfocus.com/bid/109227"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20200808181049/http://russiansecurity.expert/2016/04/20/mysql-connect-file-read"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2019/dsa-4452"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujan2020.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:2858"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:2935"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:2936"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:2937"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:2938"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:2998"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:3044"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:3045"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:3046"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:3050"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:3149"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:3200"
},
{
"type": "PACKAGE",
"url": "https://github.com/FasterXML/jackson-databind"
},
{
"type": "WEB",
"url": "https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.9"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/3f99ae8dcdbd69438cb733d745ee3ad5e852068490719a66509b4592@%3Ccommits.cassandra.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/88cd25375805950ae7337e669b0cb0eeda98b9604c1b8d806dccbad2@%3Creviews.spark.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5@%3Csolr-user.lucene.apache.org%3E"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Information exposure in FasterXML jackson-databind"
}
Mitigation
If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
Mitigation
When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.
Mitigation
Explicitly define a final object() to prevent deserialization.
Mitigation
- Make fields transient to protect them from deserialization.
- An attempt to serialize and then deserialize a class containing transient fields will result in NULLs where the transient data should be. This is an excellent way to prevent time, environment-based, or sensitive variables from being carried over and used improperly.
Mitigation
Avoid having unnecessary types or gadgets (a sequence of instances and method invocations that can self-execute during the deserialization process, often found in libraries) available that can be leveraged for malicious ends. This limits the potential for unintended or unauthorized types and gadgets to be leveraged by the attacker. Add only acceptable classes to an allowlist. Note: new gadgets are constantly being discovered, so this alone is not a sufficient mitigation.
Mitigation
Employ cryptography of the data or code for protection. However, it's important to note that it would still be client-side security. This is risky because if the client is compromised then the security implemented on the client (the cryptography) can be bypassed.
Mitigation MIT-29
Strategy: Firewall
Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].
CAPEC-586: Object Injection
An adversary attempts to exploit an application by injecting additional, malicious content during its processing of serialized objects. Developers leverage serialization in order to convert data or state into a static, binary format for saving to disk or transferring over a network. These objects are then deserialized when needed to recover the data/state. By injecting a malformed object into a vulnerable application, an adversary can potentially compromise the application by manipulating the deserialization process. This can result in a number of unwanted outcomes, including remote code execution.