Cwe 502

🧬 CWE Related 70
slug: cwe-502

Explanation

CWE-502は「シリアライズされたデータ (オブジェクトをバイト列に変換したもの) を信頼せずに復元 (デシリアライズ) してしまう」欠陥です。 Java・Python・PHP・.NETなどで、攻撃者が細工したオブジェクトを送ると任意コード実行されてしまうため、Webサーバー乗っ取りの典型ルートです。
📌 Example
CVE-2017-9805 (Apache Struts2 REST Plugin): XMLデシリアライズによるRCEで、Equifax事件 (1.4億人個人情報流出) の直接原因となった。

🔖 Related tags

🛡 Vulnerabilities tagged with this 492

ID Title
CVE-2015-4852 KEV [KEV] Unsafe Deserialization in Oracle weblogic-server (CVE-2015-4852)
CVE-2019-18935 KEV [KEV] Unsafe Deserialization in Progress telerik-ui-for-aspnet-ajax (CVE-2019-18935)
CVE-2020-10189 KEV [KEV] Unsafe Deserialization in Zoho manageengine (CVE-2020-10189)
CVE-2020-24914 Unsafe Deserialization in qcubed (CVE-2020-24914)
CVE-2020-24036 Unsafe Deserialization in fork-cms (CVE-2020-24036)
CVE-2019-17571 Unsafe Deserialization in log4j:log4j (CVE-2019-17571)
CVE-2014-9515 Unsafe Deserialization in dozer-project (CVE-2014-9515)
CVE-2017-5641 Unsafe Deserialization in apache (CVE-2017-5641)
CVE-2017-17672 Unsafe Deserialization in deserialization (CVE-2017-17672)
CVE-2017-11283 Unsafe Deserialization in deserialization (CVE-2017-11283)
CVE-2017-11284 Unsafe Deserialization in deserialization (CVE-2017-11284)
CVE-2017-1000207 Unsafe Deserialization in swagger (CVE-2017-1000207)
CVE-2017-4995 Unsafe Deserialization in deserialization (CVE-2017-4995)
CVE-2017-8045 Unsafe Deserialization in pivotal-software (CVE-2017-8045)
CVE-2017-1000248 Redis-store
CVE-2017-1000208 Unsafe Deserialization in swagger (CVE-2017-1000208)
CVE-2017-1000195 Unsafe Deserialization in octobercms (CVE-2017-1000195)
CVE-2017-12633 Unsafe Deserialization in apache (CVE-2017-12633)
CVE-2017-12634 Unsafe Deserialization in apache (CVE-2017-12634)
CVE-2015-7501 Unsafe Deserialization in apache (CVE-2015-7501)
CVE-2017-1000148 Unsafe Deserialization in mahara (CVE-2017-1000148)
CVE-2016-5003 Unsafe Deserialization in apache (CVE-2016-5003)
CVE-2017-12796 Unsafe Deserialization in openmrs (CVE-2017-12796)
CVE-2017-12628 Unsafe Deserialization in apache (CVE-2017-12628)
CVE-2015-5164 Unsafe Deserialization in pulpproject (CVE-2015-5164)
CVE-2016-8736 Unsafe Deserialization in apache (CVE-2016-8736)
CVE-2017-0903 Unsafe Deserialization in deserialization (CVE-2017-0903)
CVE-2017-0806 Unsafe Deserialization in google (CVE-2017-0806)
CVE-2017-14702 Unsafe Deserialization in deserialization (CVE-2017-14702)
CVE-2017-10932 Unsafe Deserialization in c (CVE-2017-10932)

🍪 About cookies

We use cookies to keep you logged in, remember your language, and improve the service.

Details →