Homepage
About Snyk

com.exadel.flamingo.flex:amf-serializer@1.0.0 vulnerabilities

Go back to all versions of this package
Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the com.exadel.flamingo.flex:amf-serializer package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • C
Arbitrary Code Execution

com.exadel.flamingo.flex:amf-serializer Affected versions of this package are vulnerable to Arbitrary Code Execution. It uses AMF3 deserializers which allow instantiation of arbitrary classes via public parameter-less constructors. An attacker may exploit this to send a malicious AMF3 object to the system to execute arbitrary code.

[1.0.0,1.5.0]
  • H
Arbitrary Code Execution

com.exadel.flamingo.flex:amf-serializer Affected versions of this package are vulnerable to Arbitrary Code Execution. It uses AMF3 deserializers that derive class instances from java.io.Externalizable (Although AMF3 specification's recommends using flash.utils.IExternalizable). A remote attacker with the ability to spoof or control an RMI server connection may be able to send serialized Java objects that execute arbitrary code when deserialized.

[1.0.0,1.5.0]
  • H
XML External Entity (XXE) Injection

com.exadel.flamingo.flex:amf-serializer is a library for AMF0/AMF3 messages serialization/deserialization.

Affected versions of this package are vulnerable to XML External Entity (XXE) Injection. The AMF3 deserializers in this library allow external entity (XXE) referenced from XML documents embedded in AMF3 messages.

How to fix XML External Entity (XXE) Injection?

There is no fixed version for com.exadel.flamingo.flex:amf-serializer.

[1.0.0,)
Go back to all versions of this package