Описание
The Java implementations of AMF3 deserializers in Pivotal/Spring Spring-flex derive class instances from java.io.Externalizable rather than the AMF3 specification's recommendation of flash.utils.IExternalizable. A remote attacker with the ability to spoof or control an RMI server connection may be able to send serialized Java objects that execute arbitrary code when deserialized.
Ссылки
- Third Party Advisory
- ExploitMitigationThird Party Advisory
- Third Party AdvisoryUS Government Resource
- Third Party AdvisoryVDB Entry
- Third Party Advisory
- ExploitMitigationThird Party Advisory
- Third Party AdvisoryUS Government Resource
- Third Party AdvisoryVDB Entry
Уязвимые конфигурации
Конфигурация 1
cpe:2.3:a:pivotal:spring-flex:*:*:*:*:*:*:*:*
EPSS
Процентиль: 94%
0.13418
Средний
8.1 High
CVSS3
6.8 Medium
CVSS2
Дефекты
CWE-502
CWE-502
Связанные уязвимости
CVSS3: 8.1
github
больше 3 лет назад
Deserialization of Untrusted Data in Spring-flex
EPSS
Процентиль: 94%
0.13418
Средний
8.1 High
CVSS3
6.8 Medium
CVSS2
Дефекты
CWE-502
CWE-502