CVE-2019-10202

HIGH Year: 2019
CVSS v3 Score
8.1
High
CVSS v2 Score
7.5
High
Weakness Type
CWE-502
View all →

Vulnerability Description

A series of deserialization vulnerabilities have been discovered in Codehaus 1.9.x implemented in EAP 7. This CVE fixes CVE-2017-17485, CVE-2017-7525, CVE-2017-15095, CVE-2018-5968, CVE-2018-7489, CVE-2018-1000873, CVE-2019-12086 reported for FasterXML jackson-databind by implementing a whitelist approach that will mitigate these vulnerabilities and future ones alike.

Related Vulnerabilities

CVE-2016-10750

HIGH
CVSS:8.1(High)

In Hazelcast before 3.11, the cluster join procedure is vulnerable to remote code execution via Java deserialization. If an attacker can reach a listening Hazelcast instance with a crafted JoinRequest...

CWE-5022016

CVE-2017-1000034

HIGH
CVSS:8.1(High)

Akka versions <=2.4.16 and 2.5-M1 are vulnerable to a java deserialization attack in its Remoting component resulting in remote code execution in the context of the ActorSystem.

CWE-5022017

CVE-2017-1000053

HIGH
CVSS:8.1(High)

Elixir Plug before v1.0.4, v1.1.7, v1.2.3 and v1.3.2 is vulnerable to arbitrary code execution in the deserialization functions of Plug.Session.

CWE-5022017

CVE-2017-3199

HIGH
CVSS:8.1(High)

The Java implementation of GraniteDS, version 3.1.1.GA, AMF3 deserializers derives class instances from java.io.Externalizable rather than the AMF3 specification's recommendation of flash.utils.IExter...

CWE-5022017

CVE-2017-3201

HIGH
CVSS:8.1(High)

The Java implementation of AMF3 deserializers used in Flamingo amf-serializer by Exadel, version 2.2.0 derives class instances from java.io.Externalizable rather than the AMF3 specification's recommen...

CWE-5022017

CVE-2017-3203

HIGH
CVSS:8.1(High)

The Java implementations of AMF3 deserializers in Pivotal/Spring Spring-flex derive class instances from java.io.Externalizable rather than the AMF3 specification's recommendation of flash.utils.IExte...

CWE-5022017