4 matches found
com.actiontestscript:ats-automated-testing (>=1.1.1 <=1.7.8), com.actiontestscript:automated-testing (=1.1.1) +1 more potentially affected by CVE-2017-3202 via com.exadel.flamingo.flex:amf-serializer (=1.5.0)
com.exadel.flamingo.flex:amf-serializer MAVEN version =1.5.0 is affected by a known vulnerability. The following packages have a transitive dependency on com.exadel.flamingo.flex:amf-serializer and may be impacted: - com.actiontestscript:ats-automated-testing =1.1.1, =1.7.8 -...
CVE-2017-3202
The CVE-2017-3202 entry concerns Flamingo amf-serializer (Exadel) 2.2.0, whose AMF3 deserializers may instantiate arbitrary classes via a public no-argument constructor and then invoke Java Beans setters. Exploitation requires that attacker-controlled or spoofable data reach the serdes path and t...
CVE-2017-3202 The implementation of Action Message Format (AMF3) deserializers in Flamingo amf-serializer by Exadel, version 2.2.0, may allow instantiation of arbitrary classes due to improper code control
The Java implementation of AMF3 deserializers used in Flamingo amf-serializer by Exadel, version 2.2.0, may allow instantiation of arbitrary classes via their public parameter-less constructor and subsequently call arbitrary Java Beans setter methods. The ability to exploit this vulnerability...
AMF3 Java implementations Improper Control of Dynamically-Managed Code Resources
Details reference: https://codewhitesec.blogspot.kr/2017/04/amf.html Some Java implementations of AMF3 deserializers may allow instantiation of arbitrary classes via their public parameter-less constructor and subsequently call arbitrary Java Beans setter methods. The ability to exploit this...