23 matches found
GraniteDS Insecure Deserialization
The Java implementation of GraniteDS, version 3.1.1.GA, AMF3 deserializers derives class instances from java.io.Externalizable rather than the AMF3 specification's recommendation of flash.utils.IExternalizable. A remote attacker with the ability to spoof or control an RMI server connection may be...
GraniteDS Insecure Deserialization
The Java implementation of AMF3 deserializers used in GraniteDS, version 3.1.1.GA, may allow instantiation of arbitrary classes via their public parameter-less constructor and subsequently call arbitrary Java Beans setter methods. The ability to exploit this vulnerability depends on the...
GHSA-8M35-R25C-QR56 GraniteDS Insecure Deserialization
The Java implementation of GraniteDS, version 3.1.1.GA, AMF3 deserializers derives class instances from java.io.Externalizable rather than the AMF3 specification's recommendation of flash.utils.IExternalizable. A remote attacker with the ability to spoof or control an RMI server connection may be...
GHSA-VX9J-RVMJ-JC32 GraniteDS Insecure Deserialization
The Java implementation of AMF3 deserializers used in GraniteDS, version 3.1.1.GA, may allow instantiation of arbitrary classes via their public parameter-less constructor and subsequently call arbitrary Java Beans setter methods. The ability to exploit this vulnerability depends on the...
Arbitrary Code Execution
GraniteDS is vulnerable to arbitrary code execution. It fails to prevent instantiation of untrusted object via public parameter-less constructor and calling arbitrary Java Beans setter methods. Thereby allowing an attacker to send malicious Java objects with pre-set properties, leading to arbitra...
CVE-2017-3200
The Java implementation of AMF3 deserializers used in GraniteDS, version 3.1.1.G, may allow instantiation of arbitrary classes via their public parameter-less constructor and subsequently call arbitrary Java Beans setter methods. The ability to exploit this vulnerability depends on the availabili...
CVE-2017-3199
The Java implementation of GraniteDS, version 3.1.1.GA, AMF3 deserializers derives class instances from java.io.Externalizable rather than the AMF3 specification's recommendation of flash.utils.IExternalizable. A remote attacker with the ability to spoof or control an RMI server connection may be...
Design/Logic Flaw
The Java implementation of GraniteDS, version 3.1.1.GA, AMF3 deserializers derives class instances from java.io.Externalizable rather than the AMF3 specification's recommendation of flash.utils.IExternalizable. A remote attacker with the ability to spoof or control an RMI server connection may be...
CVE-2017-3200
The Java implementation of AMF3 deserializers used in GraniteDS, version 3.1.1.G, may allow instantiation of arbitrary classes via their public parameter-less constructor and subsequently call arbitrary Java Beans setter methods. The ability to exploit this vulnerability depends on the availabili...
CVE-2017-3199
The Java implementation of GraniteDS, version 3.1.1.GA, AMF3 deserializers derives class instances from java.io.Externalizable rather than the AMF3 specification's recommendation of flash.utils.IExternalizable. A remote attacker with the ability to spoof or control an RMI server connection may be...
Deserialization of untrusted data
The Java implementation of AMF3 deserializers used in GraniteDS, version 3.1.1.G, may allow instantiation of arbitrary classes via their public parameter-less constructor and subsequently call arbitrary Java Beans setter methods. The ability to exploit this vulnerability depends on the availabili...
CVE-2017-3199
Insight: CVE-2017-3199 affects GraniteDS 3.1.1.GA, where AMF3 deserializers instantiate classes via java.io.Externalizable instead of the AMF3-recommended flash.utils.IExternalizable. This insecure deserialization could allow a remote attacker with RMI-control over a server connection to deliver ...
CVE-2017-3200 The implementation of Action Message Format (AMF3) deserializers in GraniteDS, version 3.1.1.GA, may allow instantiation of arbitrary classes due to improper code control
The Java implementation of AMF3 deserializers used in GraniteDS, version 3.1.1.G, may allow instantiation of arbitrary classes via their public parameter-less constructor and subsequently call arbitrary Java Beans setter methods. The ability to exploit this vulnerability depends on the availabili...
CVE-2017-3199 GraniteDS, version 3.1.1.GA, Action Message Format (AMF3) Java implementation is vulnerable to insecure deserialization
The Java implementation of GraniteDS, version 3.1.1.GA, AMF3 deserializers derives class instances from java.io.Externalizable rather than the AMF3 specification's recommendation of flash.utils.IExternalizable. A remote attacker with the ability to spoof or control an RMI server connection may be...
CVE-2017-3200
CVE-2017-3200 concerns GraniteDS’s AMF3 deserializers. The Java AMF3 implementation in GraniteDS 3.1.1.GA can instantiate arbitrary classes via public no-arg constructors and invoke JavaBeans setters during deserialization, enabling remote attackers to execute arbitrary code if affected classes a...
GraniteDS Remote Code Execution Vulnerability
GraniteDS Granite Data Service is a set of open source for building Flex/Java EE RIA applications. A remote code execution vulnerability exists in GraniteDS version 3.1.1.GA. A remote attacker could exploit this vulnerability to execute arbitrary code in the context of an affected application...
GraniteDS Remote Code Execution Vulnerability (CNVD-2017-10830)
GraniteDS Granite Data Service is a set of open source for building Flex/Java EE RIA applications. A remote code execution vulnerability exists in GraniteDS version 3.1.1.GA. A remote attacker could exploit this vulnerability to execute arbitrary code in the context of an affected application...
AMF3 Java implementations Improper Control of Dynamically-Managed Code Resources
Details reference: https://codewhitesec.blogspot.kr/2017/04/amf.html Some Java implementations of AMF3 deserializers may allow instantiation of arbitrary classes via their public parameter-less constructor and subsequently call arbitrary Java Beans setter methods. The ability to exploit this...
AMF3 Java implementations deserialization Vulnerability
Details reference: https://codewhitesec.blogspot.kr/2017/04/amf.html Some Java implementations of AMF3 deserializers derive class instances from java. io. Externalizable rather than the AMF3 specification's recommendation of a flash. utils. IExternalizable. A remote attacker with the ability to...
AMF3 Java implementations Improper Restriction of XML External Entity Reference ('XXE')
A detailed analysis of the reference: https://codewhitesec.blogspot.kr/2017/04/amf.html Some Java implementations of AMF3 deserializers allow the external entity references XXEs from XML documents embedded within AMF3 messages. If the XML parsing is handled incorrectly it could potentially expose...