Arbitrary Code Execution Affecting com.exadel.flamingo.flex:amf-serializer Open this link in a new tab package, versions [1.0.0,1.5.0]
Attack Complexity
High
Confidentiality
High
Integrity
High
Availability
High
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications-
snyk-id
SNYK-JAVA-COMEXADELFLAMINGOFLEX-31406
-
published
21 May 2017
-
disclosed
6 Apr 2017
-
credit
Unknown
Introduced: 6 Apr 2017
CVE-2017-3201 Open this link in a new tabOverview
com.exadel.flamingo.flex:amf-serializer
Affected versions of this package are vulnerable to Arbitrary Code Execution. It uses AMF3 deserializers that derive class instances from java.io.Externalizable
(Although AMF3 specification's recommends using flash.utils.IExternalizable
). A remote attacker with the ability to spoof or control an RMI server connection may be able to send serialized Java objects that execute arbitrary code when deserialized.