9.8

CVE-2017-3207

Exploit

EPSS 8.21%
Veröffentlicht 11.06.2018 17:29:00
Zuletzt bearbeitet 21.11.2024 03:25:02
Quelle cret@cert.org
CVE-Watchlists
Login
Unerledigt
Login

WebORB for Java by Midnight Coders, version 5.1.1.0, Action Message Format (AMF3) Java implementation is vulnerable to insecure deserialization

The Java implementations of AMF3 deserializers in WebORB for Java by Midnight Coders, version 5.1.1.0, derive class instances from java.io.Externalizable rather than the AMF3 specification's recommendation of flash.utils.IExternalizable. A remote attacker with the ability to spoof or control an RMI server connection may be able to send serialized Java objects that execute arbitrary code when deserialized.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 7

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Themidnightcoders ≫ Weborb For Java Version5.1.1.0

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	8.21%	0.942

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	7.5	10	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P

CWE-502 Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

https://www.kb.cert.org/vuls/id/307983

Third Party Advisory

US Government Resource

http://www.securityweek.com/flaws-java-amf-libraries-allow-remote-code-execution

Third Party Advisory

https://codewhitesec.blogspot.com/2017/04/amf.html

Third Party Advisory

Exploit

http://www.securityfocus.com/bid/97384

Third Party Advisory

VDB Entry

https://nvd.nist.gov/vuln/detail/CVE-2017-3207

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2017-3207

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2017-3207

EUVD