Description

The Java implementation of AMF3 deserializers used by WebORB for Java by Midnight Coders, version 5.1.1.0, allows external entity references (XXEs) from XML documents embedded within AMF3 messages. If the XML parsing is handled incorrectly it could potentially expose sensitive data on the server, denial of service, or server side request forgery.

Remediation

References

https://www.kb.cert.org/vuls/id/307983

https://codewhitesec.blogspot.com/2017/04/amf.html

http://www.securityweek.com/flaws-java-amf-libraries-allow-remote-code-execution

http://www.securityfocus.com/bid/97384

Related Vulnerabilities

CVE-2022-40152 Vulnerability in maven package com.fasterxml.woodstox:woodstox-core

CVE-2021-44667 Vulnerability in maven package com.alibaba.nacos:nacos-common

CVE-2023-3431 Vulnerability in maven package net.sourceforge.plantuml:plantuml

CVE-2023-40340 Vulnerability in maven package org.jenkins-ci.plugins:nodejs

CVE-2023-46234 Vulnerability in maven package org.webjars.npm:browserify-sign

Severity

Critical

Classification

CWE-611 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Third Party Advisory US Government Resource Exploit VDB Entry