Description
The AMF unmarshallers in Red5 Media Server before 1.0.8 do not restrict the classes for which it performs deserialization, which allows remote attackers to execute arbitrary code via crafted serialized Java data.
Remediation
References
https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true
http://www.openwall.com/lists/oss-security/2017/05/22/2
Related Vulnerabilities
CVE-2022-38751 Vulnerability in maven package org.yaml:snakeyaml
CVE-2017-16183 Vulnerability in npm package iter-server
CVE-2017-16096 Vulnerability in npm package serveryaozeyan
CVE-2022-45143 Vulnerability in maven package org.apache.tomcat:tomcat-util
CVE-2020-2185 Vulnerability in maven package org.jenkins-ci.plugins:ec2