Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS13OHY3LXByaHcteGpwd83opQ
Apache Flex BlazeDS unsafe deserialization
Previous versions of Apache Flex BlazeDS (4.7.2 and earlier) did not restrict which types were allowed for AMF(X) object deserialization by default. During the deserialization process code is executed that for several known types has undesired side-effects. Other, unknown types may also exhibit such behaviors. One vector in the Java standard library exists that allows an attacker to trigger possibly further exploitable Java deserialization of untrusted data. Other known vectors in third party libraries can be used to trigger remote code execution.
Permalink: https://github.com/advisories/GHSA-w8v7-prhw-xjpwJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13OHY3LXByaHcteGpwd83opQ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: almost 2 years ago
Updated: 7 months ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-w8v7-prhw-xjpw, CVE-2017-5641
References:
- https://nvd.nist.gov/vuln/detail/CVE-2017-5641
- https://issues.apache.org/jira/browse/FLEX-35290
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03823en_us
- https://www.kb.cert.org/vuls/id/307983
- https://www.zerodayinitiative.com/advisories/ZDI-22-506/
- https://www.zerodayinitiative.com/advisories/ZDI-22-507/
- http://mail-archives.apache.org/mod_mbox/flex-dev/201703.mbox/%[email protected]%3E
- https://web.archive.org/web/20170920093830/http://www.securitytracker.com/id/1038273
- https://web.archive.org/web/20210124021605/http://www.securityfocus.com/bid/97383
- https://github.com/apache/flex-blazeds/commit/11b0aa132d9a43bf81fa12654ff227ff247b4627
- https://github.com/apache/flex-blazeds/commit/f861f0993c35e664906609cad275e45a71e2aaf1
- https://github.com/advisories/GHSA-w8v7-prhw-xjpw
Blast Radius: 16.6
Affected Packages
maven:org.apache.flex.blazeds:flex-messaging-remoting
Dependent packages: 3Dependent repositories: 11
Downloads:
Affected Version Ranges: <= 4.7.2
Fixed in: 4.7.3
All affected versions: 4.7.0, 4.7.1, 4.7.2
All unaffected versions: 4.7.3, 4.8.0
maven:org.apache.flex.blazeds:flex-messaging-core
Dependent packages: 6Dependent repositories: 50
Downloads:
Affected Version Ranges: <= 4.7.2
Fixed in: 4.7.3
All affected versions: 4.7.0, 4.7.1, 4.7.2
All unaffected versions: 4.7.3, 4.8.0