Cwe 502

🧬 CWE Related 70
slug: cwe-502

Explanation

CWE-502は「シリアライズされたデータ (オブジェクトをバイト列に変換したもの) を信頼せずに復元 (デシリアライズ) してしまう」欠陥です。 Java・Python・PHP・.NETなどで、攻撃者が細工したオブジェクトを送ると任意コード実行されてしまうため、Webサーバー乗っ取りの典型ルートです。
📌 Example
CVE-2017-9805 (Apache Struts2 REST Plugin): XMLデシリアライズによるRCEで、Equifax事件 (1.4億人個人情報流出) の直接原因となった。

🔖 Related tags

🛡 Vulnerabilities tagged with this 492

ID Title
CVE-2017-14141 Unsafe Deserialization in kaltura (CVE-2017-14141)
CVE-2016-8744 Unsafe Deserialization in apache (CVE-2016-8744)
CVE-2017-12612 Unsafe Deserialization in apache (CVE-2017-12612)
CVE-2017-14035 CrushFTP 8.x before 8.2.0 has a serialization vulnerability.
CVE-2017-11153 Unsafe Deserialization in deserialization (CVE-2017-11153)
CVE-2017-9785 Unsafe Deserialization in csrf (CVE-2017-9785)
CVE-2017-1000034 Unsafe Deserialization in deserialization (CVE-2017-1000034)
CVE-2017-1000053 Unsafe Deserialization in deserialization (CVE-2017-1000053)
CVE-2016-6793 Unsafe Deserialization in apache (CVE-2016-6793)
CVE-2017-11143 Use-After-Free in c (CVE-2017-11143)
CVE-2016-4000 Unsafe Deserialization in org.python:jython-standalone (CVE-2016-4000)
CVE-2017-2295 Unsafe Deserialization in deserialization (CVE-2017-2295)
CVE-2017-10803 Unsafe Deserialization in odoo (CVE-2017-10803)
CVE-2017-2292 Unsafe Deserialization in puppet (CVE-2017-2292)
CVE-2017-9830 Unsafe Deserialization in apache (CVE-2017-9830)
CVE-2017-9424 Unsafe Deserialization in csharp (CVE-2017-9424)
CVE-2016-7050 Unsafe Deserialization in redhat (CVE-2016-7050)
CVE-2016-3690 Unsafe Deserialization in redhat (CVE-2016-3690)
CVE-2017-5878 Unsafe Deserialization in deserialization (CVE-2017-5878)
CVE-2017-4914 Unsafe Deserialization in deserialization (CVE-2017-4914)
CVE-2017-9363 Unsafe Deserialization in soffid (CVE-2017-9363)
CVE-2017-7504 Unsafe Deserialization in deserialization (CVE-2017-7504)
CVE-2017-8829 Unsafe Deserialization in deserialization (CVE-2017-8829)
CVE-2017-8804 Unsafe Deserialization in c (CVE-2017-8804)
CVE-2017-7293 Unsafe Deserialization in csharp (CVE-2017-7293)
CVE-2017-5645 Unsafe Deserialization in apache (CVE-2017-5645)
CVE-2016-0779 Unsafe Deserialization in apache (CVE-2016-0779)
CVE-2016-4483 Unsafe Deserialization in c (CVE-2016-4483)
CVE-2017-5983 Unsafe Deserialization in dos (CVE-2017-5983)
CVE-2016-10304 Unsafe Deserialization in dos (CVE-2016-10304)

🍪 About cookies

We use cookies to keep you logged in, remember your language, and improve the service.

Details →