Description

The Java implementation of AMF3 deserializers used by WebORB for Java by Midnight Coders, version 5.1.1.0, allows external entity references (XXEs) from XML documents embedded within AMF3 messages. If the XML parsing is handled incorrectly it could potentially expose sensitive data on the server, denial of service, or server side request forgery.

Remediation

References

http://www.securityfocus.com/bid/97384

http://www.securityweek.com/flaws-java-amf-libraries-allow-remote-code-execution

https://codewhitesec.blogspot.com/2017/04/amf.html

https://www.kb.cert.org/vuls/id/307983

Related Vulnerabilities

CVE-2023-34840 Vulnerability in npm package angular-ui-notification

CVE-2022-25167 Vulnerability in maven package org.apache.flume:flume-parent

CVE-2020-10968 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind

CVE-2021-32820 Vulnerability in npm package express-handlebars

CVE-2015-8851 Vulnerability in maven package org.webjars.npm:node-uuid

Severity

Critical

Classification

CWE-611 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Third Party Advisory VDB Entry Exploit US Government Resource