Sign in Sign up
JA · EN · FR
SecPulse

Cwe 502

🧬 CWE Related 70
slug: cwe-502

Explanation

CWE-502は「シリアライズされたデータ (オブジェクトをバイト列に変換したもの) を信頼せずに復元 (デシリアライズ) してしまう」欠陥です。 Java・Python・PHP・.NETなどで、攻撃者が細工したオブジェクトを送ると任意コード実行されてしまうため、Webサーバー乗っ取りの典型ルートです。
📌 Example
CVE-2017-9805 (Apache Struts2 REST Plugin): XMLデシリアライズによるRCEで、Equifax事件 (1.4億人個人情報流出) の直接原因となった。
🔗 Related links

🔖 Related tags

Cwe 20125 Cwe 78120 Cwe 787105 Cwe 41699 Cwe 2296 Cwe 11990 Cwe 9484 Cwe 7966 Cwe 8954 Cwe 91844 Cwe 28443 Cwe 28741 Cwe 7740 Cwe 30638 Cwe 84337

🛡 Vulnerabilities tagged with this 71

ID Title
CVE-2019-0344 KEV [KEV] Unsafe Deserialization in Sap commerce-cloud (CVE-2019-0344)
CVE-2022-21445 KEV [KEV] Unsafe Deserialization in Oracle adf-faces (CVE-2022-21445)
CVE-2020-0618 KEV [KEV] Unsafe Deserialization in Microsoft sql-server (CVE-2020-0618)
CVE-2024-28986 KEV [KEV] Unsafe Deserialization in Solarwinds web-help-desk (CVE-2024-28986)
CVE-2018-0824 KEV [KEV] Unsafe Deserialization in Microsoft windows (CVE-2018-0824)
CVE-2023-43208 KEV [KEV] Unsafe Deserialization in Nextgen healthcare nextgen-healthcare (CVE-2023-43208)
CVE-2018-15133 KEV [KEV] Unsafe Deserialization in laravel (CVE-2018-15133)
CVE-2023-29300 KEV [KEV] Unsafe Deserialization in Adobe coldfusion (CVE-2023-29300)
CVE-2023-38203 KEV [KEV] Unsafe Deserialization in Adobe coldfusion (CVE-2023-38203)
CVE-2023-46604 KEV [KEV] Unsafe Deserialization in Apache activemq (CVE-2023-46604)
CVE-2023-40044 KEV [KEV] Unsafe Deserialization in Progress ws-ftp-server (CVE-2023-40044)
CVE-2023-26359 KEV [KEV] Unsafe Deserialization in Adobe coldfusion (CVE-2023-26359)
CVE-2022-31199 KEV [KEV] Unsafe Deserialization in Netwrix auditor (CVE-2022-31199)
CVE-2020-5741 KEV [KEV] Unsafe Deserialization in Plex media-server (CVE-2020-5741)
CVE-2021-39144 KEV [KEV] Code Injection in xstream (CVE-2021-39144)
CVE-2022-47986 KEV [KEV] Unsafe Deserialization in Ibm aspera-faspex (CVE-2022-47986)
CVE-2023-0669 KEV [KEV] Unsafe Deserialization in Fortra goanywhere-mft (CVE-2023-0669)
CVE-2021-35587 KEV [KEV] Unsafe Deserialization in Oracle fusion-middleware (CVE-2021-35587)
CVE-2022-41082 KEV [KEV] Unsafe Deserialization in Microsoft exchange-server (CVE-2022-41082)
CVE-2022-35405 KEV [KEV] Unsafe Deserialization in Zoho manageengine (CVE-2022-35405)
CVE-2018-2628 KEV [KEV] Unsafe Deserialization in Oracle weblogic-server (CVE-2018-2628)
CVE-2021-31010 KEV [KEV] Vulnerability in Apple ios (CVE-2021-31010)
CVE-2019-15271 KEV [KEV] Unsafe Deserialization in Cisco rv-series-routers (CVE-2019-15271)
CVE-2021-27852 KEV [KEV] Unsafe Deserialization in checkbox (CVE-2021-27852)
CVE-2021-42237 KEV [KEV] Unsafe Deserialization in Sitecore xp (CVE-2021-42237)
CVE-2019-6340 KEV [KEV] Unsafe Deserialization in Drupal core (CVE-2019-6340)
CVE-2019-10068 KEV [KEV] Unsafe Deserialization in Kentico xperience (CVE-2019-10068)
CVE-2018-1000861 KEV [KEV] Unsafe Deserialization in jenkins (CVE-2018-1000861)
CVE-2017-12149 KEV [KEV] Unsafe Deserialization in Red hat red-hat (CVE-2017-12149)
CVE-2021-44228 KEV [KEV] Vulnerability in Apache log4j2 (CVE-2021-44228)

🍪 About cookies

We use cookies to keep you logged in, remember your language, and improve the service.

Details →