Apache Commons FileUpload prior to 1.3.3 DiskFileItem File Manipulation Remote Code Execution
Generates Deep Security CSV reports
Setup Instructions Download & install the Deep Security SDK Create Deep Security API keys Set the API key as a DS_KEY environment variable Usage Instructions Help Menu $ python3 reporterpy -h usage: reporterpy [-h] [--report-filename REPORT_FILENAME] [--summary-filename SUMMARY_FILENAME] [--app-names [APP_NAMES [APP_NAMES
The cheat sheet about Java Deserialization vulnerabilities
Java-Deserialization-Cheat-Sheet A cheat sheet for pentesters and researchers about deserialization vulnerabilities in various Java (JVM) serialization libraries Please, use #javadeser hash tag for tweets Table of content Java Native Serialization (binary) Overview Main talks & presentations & docs Payload generators Exploits Detect Vulnerable apps (without
Compiled dataset of Java deserialization CVEs
Java-Deserialization-CVEs This is a dataset of CVEs related to Java Deserialization Since existing CVE databases do not allow for granular searches by vulnerability type and language, this list was compiled by manually searching the NIST NVD CVE database with different queries If you notice any discrepancies, contributions are very welcome! CVE ID Year CVSS 3/31 risk CV
Oracle is urging customers to patch critical vulnerabilities in its products as part of its massive April update, which fixes a whopping 297 flaws.
Of those flaws, 53 vulnerabilities in Oracle products had a CVSS score of 9.0 or higher, making them “critical” severity – and in fact, 49 of those critical flaws had a CVSS score of 9.8. Products with the most vulnerabilities as part of this quarterly patch include the Oracle Fusion Middleware, the Oracle E-Business Suite and Oracle MySQ...
In an advisory yesterday, the Apache Software Foundation reiterates its recommendation for users of Struts to make sure their installations run a version of the Commons FileUpload library newer than 1.3.2, lest they expose their projects to possible remote code execution attacks.
Versions of the library prior to 1.3.3 have a deserialization problem with a Java Object, which could be exploited to write or copy files to arbitrary locations on the disk.
According to the original adviso...
Mega Patch Tuesday Microsoft on Tuesday patched a wormable hole in its Windows Server software that can be exploited remotely to completely commandeer the machine without any authorization. It was one of hundreds of security bugs squashed today by Redmond along with Oracle, Adobe, VMware, SAP and Google.
Microsoft emitted fixes for 123 vulnerabilities in this month's Patch Tuesday batch. Some 18 of those CVE-listed security flaws are considered critical, meaning remote code execution (RCE)...