Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1qODh2LXEzdnctcDl2cs4AARbe
Deserialization of Untrusted Data in Flamingo amf-serializer
The Java implementation of AMF3 deserializers used in Flamingo amf-serializer by Exadel, version 2.2.0, may allow instantiation of arbitrary classes via their public parameter-less constructor and subsequently call arbitrary Java Beans setter methods. The ability to exploit this vulnerability depends on the availability of classes in the class path that make use of deserialization. A remote attacker with the ability to spoof or control information may be able to send serialized Java objects with pre-set properties that result in arbitrary code execution when deserialized.
Permalink: https://github.com/advisories/GHSA-j88v-q3vw-p9vrJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qODh2LXEzdnctcDl2cs4AARbe
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: about 2 years ago
Updated: 5 months ago
CVSS Score: 9.8
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-j88v-q3vw-p9vr, CVE-2017-3202
References:
- https://nvd.nist.gov/vuln/detail/CVE-2017-3202
- https://codewhitesec.blogspot.com/2017/04/amf.html
- http://www.securityweek.com/flaws-java-amf-libraries-allow-remote-code-execution
- https://github.com/advisories/GHSA-j88v-q3vw-p9vr
Affected Packages
maven:com.exadel.flamingo.flex:amf-serializer
Dependent packages: 4Dependent repositories: 6
Downloads:
Affected Version Ranges: <= 2.2.0
No known fixed version
All affected versions: 1.0.0, 1.5.0