Deserialization of Untrusted Data

Property
Languagejava
Severitylow
CWECWE-502: Deserialization of Untrusted Data
OWASPA08:2017 - Insecure Deserialization
Confidence LevelLow
Impact LevelMedium
Likelihood LevelLow

Description

If a JAX-RS REST endpoint does not specify a @Consumes annotation, it may accept requests with Content-Type ‘application/x-java-serialized-object’. This allows attackers to send serialized Java objects, which could be deserialized by the server without validation.

Impact

An attacker could exploit this to send malicious serialized objects, potentially leading to arbitrary code execution on the server. This could result in data breaches, server compromise, or further attacks on your infrastructure.

Deserialization of Untrusted Data

Property
Languagejavascript
Severitycritical
CWECWE-502: Deserialization of Untrusted Data
OWASPA08:2017 - Insecure Deserialization
Confidence LevelHigh
Impact LevelHigh
Likelihood LevelHigh

Description

User-supplied data is being deserialized using functions from insecure libraries like ’node-serialize’ or ‘serialize-to-js’. This allows attackers to send specially crafted input that can execute malicious code when processed.

Impact

If exploited, an attacker could run arbitrary code on your server, potentially leading to full system compromise, data theft, or service disruption. This can result in severe security breaches and loss of trust in your application.

Deserialization of Untrusted Data

Property
Languagejavascript
Severitylow
CWECWE-502: Deserialization of Untrusted Data
OWASPA08:2017 - Insecure Deserialization
Confidence LevelLow
Impact LevelMedium
Likelihood LevelLow

Description

The code establishes a gRPC connection using ‘createInsecure()’, which means data is sent without encryption. This exposes all transmitted information to anyone with access to the network.

Impact

An attacker could intercept, read, or modify gRPC messages in transit, potentially leading to data leaks, manipulation of requests or responses, and unauthorized access to sensitive operations. This can compromise both user data and the security of your application.

Deserialization of Untrusted Data

Property
Languageocaml
Severitymedium
CWECWE-502: Deserialization of Untrusted Data
Confidence LevelLow
Impact LevelHigh
Likelihood LevelMedium

Description

Using OCaml’s Marshal module to deserialize data from untrusted sources is unsafe because it doesn’t enforce type safety or data integrity. This can allow attackers to craft malicious inputs that compromise your application.

Impact

If exploited, an attacker could trigger out-of-bounds reads, cause crashes, or execute arbitrary code, potentially leading to data leaks or full system compromise. This puts both application integrity and user data at significant risk.

Deserialization of Untrusted Data

Property
Languagephp
Severitymedium
CWECWE-502: Deserialization of Untrusted Data
OWASPA08:2017 - Insecure Deserialization
Confidence LevelMedium
Impact LevelMedium
Likelihood LevelMedium

Description

Using PHP’s extract() function directly on data from user input (like $_GET, $_POST, or $_FILES) can let attackers overwrite variables in your code, leading to unexpected or unsafe behavior. To prevent this, avoid using extract() with user data, or always use the EXTR_SKIP flag to prevent existing variables from being overwritten.

Deserialization of Untrusted Data

Property
Languagephp
Severitylow
CWECWE-502: Deserialization of Untrusted Data
OWASPA08:2017 - Insecure Deserialization
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

Using PHP’s unserialize() function on data that can be controlled by users is dangerous because it allows attackers to inject specially crafted input. This can cause the application to execute malicious code or behave unexpectedly.

Impact

If exploited, attackers could execute arbitrary code, escalate privileges, or manipulate application data, potentially leading to data breaches, server compromise, or complete takeover of the application. This threatens both user data and overall system integrity.

Deserialization of Untrusted Data

Property
Languagephp
Severitymedium
CWECWE-502: Deserialization of Untrusted Data
OWASPA03:2021 - Injection
Confidence LevelLow
Impact LevelHigh
Likelihood LevelLow

Description

If the data used inside the patterns are directly used without proper sanitization, then this could lead to PHP Object Injection. Do not use these function with user-supplied input, use JSON functions instead.

Deserialization of Untrusted Data

Property
Languagepython
Severitylow
CWECWE-502: Deserialization of Untrusted Data
OWASPA08:2017 - Insecure Deserialization
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

Using Connection.recv() in Python’s multiprocessing module can be unsafe because it automatically unpickles received data. If data comes from an untrusted source, this could allow execution of malicious code.

Impact

An attacker who can send data to the process could exploit this to execute arbitrary code within your application, potentially leading to data theft, corruption, or full system compromise.

Deserialization of Untrusted Data

Property
Languagepython
Severitylow
CWECWE-502: Deserialization of Untrusted Data
OWASPA08:2017 - Insecure Deserialization
Confidence LevelLow
Impact LevelMedium
Likelihood LevelLow

Description

Using Python’s marshal module to load or unmarshal data from untrusted sources is unsafe, as it does not validate or secure the input. Attackers can craft malicious data that, when unmarshaled, can corrupt the program or execute arbitrary code.

Impact

If exploited, this vulnerability could let attackers execute arbitrary Python code, compromise sensitive data, or disrupt application logic, leading to a full system compromise or data breach. Applications processing untrusted input with marshal are especially at risk.

Deserialization of Untrusted Data

Property
Languagepython
Severitylow
CWECWE-502: Deserialization of Untrusted Data
OWASPA08:2017 - Insecure Deserialization
Confidence LevelLow
Impact LevelMedium
Likelihood LevelLow

Description

Using the Python ‘shelve’ module is risky because it relies on ‘pickle’ for data serialization, which can execute malicious code if the input is tampered with. Avoid using ‘shelve’ for storing data from untrusted sources.

Impact

If an attacker supplies or alters the serialized data, they could execute arbitrary code on your server, potentially leading to data breaches, system compromise, or complete takeover of the application environment.