Description
The Java implementation of AMF3 deserializers used by WebORB for Java by Midnight Coders, version 5.1.1.0, allows external entity references (XXEs) from XML documents embedded within AMF3 messages. If the XML parsing is handled incorrectly it could potentially expose sensitive data on the server, denial of service, or server side request forgery.
Remediation
References
https://www.kb.cert.org/vuls/id/307983
https://codewhitesec.blogspot.com/2017/04/amf.html
http://www.securityweek.com/flaws-java-amf-libraries-allow-remote-code-execution
http://www.securityfocus.com/bid/97384
Related Vulnerabilities
CVE-2020-2181 Vulnerability in maven package org.jenkins-ci.plugins:credentials-binding
CVE-2017-15707 Vulnerability in maven package org.apache.struts:struts2-core
CVE-2019-19771 Vulnerability in npm package bictoin-ops
CVE-2016-7046 Vulnerability in maven package io.undertow:undertow-core
CVE-2019-18212 Vulnerability in maven package org.lsp4xml:org.eclipse.lsp4xml.extensions.emmet