CWE-502
AllowedDeserialization of Untrusted Data
Abstraction: Base · Status: Draft
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
4798 vulnerabilities reference this CWE, most recent first.
GHSA-6W4V-WCGF-49JV
Vulnerability from github – Published: 2022-04-07 00:00 – Updated: 2022-04-15 00:01A vulnerability in the login authorization components of Cisco Webex Meetings could allow an authenticated, remote attacker to inject arbitrary Java code. This vulnerability is due to improper deserialization of Java code within login requests. An attacker could exploit this vulnerability by sending malicious login requests to the Cisco Webex Meetings service. A successful exploit could allow the attacker to inject arbitrary Java code and take arbitrary actions within the Cisco Webex Meetings application.
{
"affected": [],
"aliases": [
"CVE-2022-20763"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-04-06T19:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability in the login authorization components of Cisco Webex Meetings could allow an authenticated, remote attacker to inject arbitrary Java code. This vulnerability is due to improper deserialization of Java code within login requests. An attacker could exploit this vulnerability by sending malicious login requests to the Cisco Webex Meetings service. A successful exploit could allow the attacker to inject arbitrary Java code and take arbitrary actions within the Cisco Webex Meetings application.",
"id": "GHSA-6w4v-wcgf-49jv",
"modified": "2022-04-15T00:01:05Z",
"published": "2022-04-07T00:00:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20763"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-java-MVX6crH9"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6W62-HX7R-MW68
Vulnerability from github – Published: 2021-08-25 14:46 – Updated: 2022-02-08 20:43Impact
The vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.
Patches
XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
Workarounds
See workarounds for the different versions covering all CVEs.
References
See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for CVE-2021-39154.
Credits
ka1n4t found and reported the issue to XStream and provided the required information to reproduce it.
For more information
If you have any questions or comments about this advisory: * Open an issue in XStream * Contact us at XStream Google Group
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.thoughtworks.xstream:xstream"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.4.18"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-39154"
],
"database_specific": {
"cwe_ids": [
"CWE-434",
"CWE-502"
],
"github_reviewed": true,
"github_reviewed_at": "2021-08-23T18:22:35Z",
"nvd_published_at": "2021-08-23T18:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\nThe vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream\u0027s security framework with a whitelist limited to the minimal required types.\n\n### Patches\nXStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.\n\n### Workarounds\nSee [workarounds](https://x-stream.github.io/security.html#workaround) for the different versions covering all CVEs.\n\n### References\nSee full information about the nature of the vulnerability and the steps to reproduce it in XStream\u0027s documentation for [CVE-2021-39154](https://x-stream.github.io/CVE-2021-39154.html).\n\n### Credits\nka1n4t found and reported the issue to XStream and provided the required information to reproduce it.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [XStream](https://github.com/x-stream/xstream/issues)\n* Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user)\n",
"id": "GHSA-6w62-hx7r-mw68",
"modified": "2022-02-08T20:43:47Z",
"published": "2021-08-25T14:46:38Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/x-stream/xstream/security/advisories/GHSA-6w62-hx7r-mw68"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39154"
},
{
"type": "PACKAGE",
"url": "https://github.com/x-stream/xstream"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20210923-0003"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2021/dsa-5004"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"type": "WEB",
"url": "https://x-stream.github.io/CVE-2021-39154.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "XStream is vulnerable to an Arbitrary Code Execution attack"
}
GHSA-6W8G-777W-9MCC
Vulnerability from github – Published: 2022-05-14 01:22 – Updated: 2025-10-22 00:31A remote code execution vulnerability exists in "Microsoft COM for Windows" when it fails to properly handle serialized objects, aka "Microsoft COM for Windows Remote Code Execution Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.
{
"affected": [],
"aliases": [
"CVE-2018-0824"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-05-09T19:29:00Z",
"severity": "HIGH"
},
"details": "A remote code execution vulnerability exists in \"Microsoft COM for Windows\" when it fails to properly handle serialized objects, aka \"Microsoft COM for Windows Remote Code Execution Vulnerability.\" This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.",
"id": "GHSA-6w8g-777w-9mcc",
"modified": "2025-10-22T00:31:35Z",
"published": "2022-05-14T01:22:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-0824"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0824"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-0824"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/44906"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/104030"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1040848"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6W97-JR3C-Q3H4
Vulnerability from github – Published: 2024-12-07 12:30 – Updated: 2024-12-07 12:30The Gallery plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3 via deserialization of untrusted input from wd_gallery_$id parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
{
"affected": [],
"aliases": [
"CVE-2024-11501"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-07T12:15:19Z",
"severity": "HIGH"
},
"details": "The Gallery plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3 via deserialization of untrusted input from wd_gallery_$id parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.",
"id": "GHSA-6w97-jr3c-q3h4",
"modified": "2024-12-07T12:30:25Z",
"published": "2024-12-07T12:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11501"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/multi-gallery/tags/1.3/partials/Shortcode.php#L21"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/778f7d9b-6376-4026-a291-1fedeabe8c99?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6WF9-JMG9-VXCC
Vulnerability from github – Published: 2021-08-25 14:48 – Updated: 2022-02-08 20:59Impact
The vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.
Patches
XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
Workarounds
See workarounds for the different versions covering all CVEs.
References
See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for CVE-2021-39140.
Credits
The vulnerability was discovered and reported by Lai Han of nsfocus security team.
For more information
If you have any questions or comments about this advisory: * Open an issue in XStream * Contact us at XStream Google Group
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.thoughtworks.xstream:xstream"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.4.18"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-39140"
],
"database_specific": {
"cwe_ids": [
"CWE-502",
"CWE-835"
],
"github_reviewed": true,
"github_reviewed_at": "2021-08-23T18:22:01Z",
"nvd_published_at": "2021-08-23T19:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\nThe vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream\u0027s security framework with a whitelist limited to the minimal required types.\n\n### Patches\nXStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.\n\n### Workarounds\nSee [workarounds](https://x-stream.github.io/security.html#workaround) for the different versions covering all CVEs.\n\n### References\nSee full information about the nature of the vulnerability and the steps to reproduce it in XStream\u0027s documentation for [CVE-2021-39140](https://x-stream.github.io/CVE-2021-39140.html).\n\n### Credits\nThe vulnerability was discovered and reported by Lai Han of nsfocus security team.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [XStream](https://github.com/x-stream/xstream/issues)\n* Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user)\n",
"id": "GHSA-6wf9-jmg9-vxcc",
"modified": "2022-02-08T20:59:06Z",
"published": "2021-08-25T14:48:39Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/x-stream/xstream/security/advisories/GHSA-6wf9-jmg9-vxcc"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39140"
},
{
"type": "PACKAGE",
"url": "https://github.com/x-stream/xstream"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20210923-0003"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2021/dsa-5004"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"type": "WEB",
"url": "https://x-stream.github.io/CVE-2021-39140.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "XStream can cause a Denial of Service"
}
GHSA-6WFG-RR5Q-WG74
Vulnerability from github – Published: 2024-03-24 00:30 – Updated: 2024-08-27 21:31Gibbon through 26.0.00 allows remote authenticated users to conduct PHP deserialization attacks via columnOrder in a POST request to the modules/System%20Admin/import_run.php&type=externalAssessment&step=4 URI.
{
"affected": [],
"aliases": [
"CVE-2024-24725"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-23T23:15:07Z",
"severity": "HIGH"
},
"details": "Gibbon through 26.0.00 allows remote authenticated users to conduct PHP deserialization attacks via columnOrder in a POST request to the modules/System%20Admin/import_run.php\u0026type=externalAssessment\u0026step=4 URI.",
"id": "GHSA-6wfg-rr5q-wg74",
"modified": "2024-08-27T21:31:11Z",
"published": "2024-03-24T00:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24725"
},
{
"type": "WEB",
"url": "https://gibbonedu.org/download"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/51903"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6WGH-RVCX-89G9
Vulnerability from github – Published: 2025-11-05 03:30 – Updated: 2025-11-05 03:30The Everest Forms (Pro) plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.9.7 via deserialization of untrusted input in the mime_content_type() function. This makes it possible for unauthenticated attackers to inject a PHP Object. This vulnerability may be exploited by unauthenticated attackers when a form is present on the site with a non-required signature form field along with an image upload field. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. This vulnerability is only exploitable in PHP versions prior to 8.
{
"affected": [],
"aliases": [
"CVE-2025-8871"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-05T03:15:42Z",
"severity": "MODERATE"
},
"details": "The Everest Forms (Pro) plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.9.7 via deserialization of untrusted input in the mime_content_type() function. This makes it possible for unauthenticated attackers to inject a PHP Object. This vulnerability may be exploited by unauthenticated attackers when a form is present on the site with a non-required signature form field along with an image upload field. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. This vulnerability is only exploitable in PHP versions prior to 8.",
"id": "GHSA-6wgh-rvcx-89g9",
"modified": "2025-11-05T03:30:24Z",
"published": "2025-11-05T03:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8871"
},
{
"type": "WEB",
"url": "https://everestforms.net/changelog"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/11d45287-f875-4cc9-aaf6-47158fe32858?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-6WPM-4J63-64J7
Vulnerability from github – Published: 2025-04-17 18:31 – Updated: 2026-04-01 18:34Deserialization of Untrusted Data vulnerability in WP Speedo Team Members allows Object Injection. This issue affects Team Members: from n/a through 3.4.0.
{
"affected": [],
"aliases": [
"CVE-2025-32686"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-17T16:15:50Z",
"severity": "HIGH"
},
"details": "Deserialization of Untrusted Data vulnerability in WP Speedo Team Members allows Object Injection. This issue affects Team Members: from n/a through 3.4.0.",
"id": "GHSA-6wpm-4j63-64j7",
"modified": "2026-04-01T18:34:51Z",
"published": "2025-04-17T18:31:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32686"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/wps-team/vulnerability/wordpress-team-members-3-4-0-php-object-injection-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6WQP-V4V6-C87C
Vulnerability from github – Published: 2020-06-15 18:44 – Updated: 2024-03-01 21:50An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.7.9.3"
},
"package": {
"ecosystem": "Maven",
"name": "com.fasterxml.jackson.core:jackson-databind"
},
"ranges": [
{
"events": [
{
"introduced": "2.7.0"
},
{
"fixed": "2.7.9.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.8.11.1"
},
"package": {
"ecosystem": "Maven",
"name": "com.fasterxml.jackson.core:jackson-databind"
},
"ranges": [
{
"events": [
{
"introduced": "2.8.0"
},
{
"fixed": "2.8.11.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.fasterxml.jackson.core:jackson-databind"
},
"ranges": [
{
"events": [
{
"introduced": "2.9.0"
},
{
"fixed": "2.9.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-12023"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-11T21:43:23Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.",
"id": "GHSA-6wqp-v4v6-c87c",
"modified": "2024-03-01T21:50:31Z",
"published": "2020-06-15T18:44:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12023"
},
{
"type": "WEB",
"url": "https://github.com/FasterXML/jackson-databind/issues/2058"
},
{
"type": "WEB",
"url": "https://github.com/FasterXML/jackson-databind/commit/7487cf7eb14be2f65a1eb108e8629c07ef45e0a"
},
{
"type": "WEB",
"url": "https://github.com/FasterXML/jackson-databind/commit/28badf7ef60ac3e7ef151cd8e8ec010b8479226a"
},
{
"type": "WEB",
"url": "https://github.com/FasterXML/jackson-databind/commit/bf261d404c2f79fd3406237710d40ebb03c99d84"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/7fcf88aff0d1deaa5c3c7be8d58c05ad7ad5da94b59065d8e7c50c5d@%3Cissues.lucene.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZEDLDUYBSTDY4GWDBUXGJNS2RFYTFVRC"
},
{
"type": "WEB",
"url": "https://seclists.org/bugtraq/2019/May/68"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20190530-0003"
},
{
"type": "WEB",
"url": "https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2019/dsa-4452"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHBA-2019:0959"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:0782"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:0877"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:1106"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:1107"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:1108"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:1140"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:1782"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:1797"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:1822"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:1823"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:2804"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:2858"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:3002"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:3140"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:3149"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:3892"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:4037"
},
{
"type": "PACKAGE",
"url": "https://github.com/FasterXML/jackson-databind"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/105659"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Deserialization of Untrusted Data"
}
GHSA-6WW2-5R22-QHXV
Vulnerability from github – Published: 2025-01-04 09:35 – Updated: 2025-01-04 09:35The Backup Migration plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.6 via deserialization of untrusted input in the 'recursive_unserialize_replace' function. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to delete arbitrary files, retrieve sensitive data, or execute code. An administrator must create a staging site in order to trigger the exploit.
{
"affected": [],
"aliases": [
"CVE-2024-10932"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-04T08:15:05Z",
"severity": "HIGH"
},
"details": "The Backup Migration plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.6 via deserialization of untrusted input in the \u0027recursive_unserialize_replace\u0027 function. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to delete arbitrary files, retrieve sensitive data, or execute code. An administrator must create a staging site in order to trigger the exploit.",
"id": "GHSA-6ww2-5r22-qhxv",
"modified": "2025-01-04T09:35:20Z",
"published": "2025-01-04T09:35:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10932"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser//backup-backup/tags/1.4.6/includes/database/search-replace.php#L46"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/backup-backup/tags/1.4.6.1/includes/database/search-replace.php#L46"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d5a0c514-5200-47f4-9d2e-684d68946b9a?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
Mitigation
When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.
Mitigation
Explicitly define a final object() to prevent deserialization.
Mitigation
- Make fields transient to protect them from deserialization.
- An attempt to serialize and then deserialize a class containing transient fields will result in NULLs where the transient data should be. This is an excellent way to prevent time, environment-based, or sensitive variables from being carried over and used improperly.
Mitigation
Avoid having unnecessary types or gadgets (a sequence of instances and method invocations that can self-execute during the deserialization process, often found in libraries) available that can be leveraged for malicious ends. This limits the potential for unintended or unauthorized types and gadgets to be leveraged by the attacker. Add only acceptable classes to an allowlist. Note: new gadgets are constantly being discovered, so this alone is not a sufficient mitigation.
Mitigation
Employ cryptography of the data or code for protection. However, it's important to note that it would still be client-side security. This is risky because if the client is compromised then the security implemented on the client (the cryptography) can be bypassed.
Mitigation MIT-29
Strategy: Firewall
Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].
CAPEC-586: Object Injection
An adversary attempts to exploit an application by injecting additional, malicious content during its processing of serialized objects. Developers leverage serialization in order to convert data or state into a static, binary format for saving to disk or transferring over a network. These objects are then deserialized when needed to recover the data/state. By injecting a malformed object into a vulnerable application, an adversary can potentially compromise the application by manipulating the deserialization process. This can result in a number of unwanted outcomes, including remote code execution.