Cwe 502

🧬 CWE Related 70
slug: cwe-502

Explanation

CWE-502は「シリアライズされたデータ (オブジェクトをバイト列に変換したもの) を信頼せずに復元 (デシリアライズ) してしまう」欠陥です。 Java・Python・PHP・.NETなどで、攻撃者が細工したオブジェクトを送ると任意コード実行されてしまうため、Webサーバー乗っ取りの典型ルートです。
📌 Example
CVE-2017-9805 (Apache Struts2 REST Plugin): XMLデシリアライズによるRCEで、Equifax事件 (1.4億人個人情報流出) の直接原因となった。

🔖 Related tags

🛡 Vulnerabilities tagged with this 494

ID Title
CVE-2023-0669 KEV [KEV] Unsafe Deserialization in Fortra goanywhere-mft (CVE-2023-0669)
CVE-2021-35587 KEV [KEV] Unsafe Deserialization in Oracle fusion-middleware (CVE-2021-35587)
CVE-2022-21624 Unsafe Deserialization in c (CVE-2022-21624)
CVE-2022-41082 KEV [KEV] Unsafe Deserialization in Microsoft exchange-server (CVE-2022-41082)
CVE-2022-35405 KEV [KEV] Unsafe Deserialization in Zoho manageengine (CVE-2022-35405)
CVE-2018-2628 KEV [KEV] Unsafe Deserialization in Oracle weblogic-server (CVE-2018-2628)
CVE-2021-31010 KEV [KEV] Vulnerability in Apple ios (CVE-2021-31010)
CVE-2022-32224 Unsafe Deserialization in activerecord (CVE-2022-32224)
CVE-2021-36665 Unsafe Deserialization in druva (CVE-2021-36665)
CVE-2019-15271 KEV [KEV] Unsafe Deserialization in Cisco rv-series-routers (CVE-2019-15271)
CVE-2019-12868 Unsafe Deserialization in deserialization (CVE-2019-12868)
CVE-2022-25647 Unsafe Deserialization in com.google.code.gson:gson (CVE-2022-25647)
CVE-2022-29528 An issue was discovered in MISP before 2.4.158. PHAR deserialization can occur.
CVE-2021-27852 KEV [KEV] Unsafe Deserialization in checkbox (CVE-2021-27852)
CVE-2021-42237 KEV [KEV] Unsafe Deserialization in Sitecore xp (CVE-2021-42237)
CVE-2019-6340 KEV [KEV] Unsafe Deserialization in Drupal core (CVE-2019-6340)
CVE-2019-10068 KEV [KEV] Unsafe Deserialization in Kentico xperience (CVE-2019-10068)
CVE-2018-1000861 KEV [KEV] Unsafe Deserialization in jenkins (CVE-2018-1000861)
CVE-2021-42631 Unsafe Deserialization in printerlogic (CVE-2021-42631)
CVE-2022-23302 Unsafe Deserialization in apache (CVE-2022-23302)
CVE-2022-23307 Unsafe Deserialization in apache (CVE-2022-23307)
CVE-2021-4104 Unsafe Deserialization in apache (CVE-2021-4104)
CVE-2017-12149 KEV [KEV] Unsafe Deserialization in Red hat red-hat (CVE-2017-12149)
CVE-2021-44228 KEV [KEV] Vulnerability in Apache log4j2 (CVE-2021-44228)
CVE-2021-42321 KEV [KEV] Vulnerability in Microsoft exchange (CVE-2021-42321)
CVE-2018-4939 KEV [KEV] Unsafe Deserialization in Adobe coldfusion (CVE-2018-4939)
CVE-2017-9805 KEV [KEV] Unsafe Deserialization in Apache struts (CVE-2017-9805)
CVE-2021-35464 KEV [KEV] Unsafe Deserialization in Forgerock access-management-am (CVE-2021-35464)
CVE-2020-7961 KEV [KEV] Unsafe Deserialization in liferay (CVE-2020-7961)
CVE-2020-17144 KEV [KEV] Unsafe Deserialization in Microsoft exchange-server (CVE-2020-17144)

🍪 About cookies

We use cookies to keep you logged in, remember your language, and improve the service.

Details →