Deserialization of Untrusted Data in Flamingo amf-serializer

The Java implementation of AMF3 deserializers used in Flamingo amf-serializer by Exadel, version 2.2.0, may allow instantiation of arbitrary classes via their public parameter-less constructor and subsequently call arbitrary Java Beans setter methods. The ability to exploit this vulnerability...

GHSA-J88V-Q3VW-P9VR Deserialization of Untrusted Data in Flamingo amf-serializer

The Java implementation of AMF3 deserializers used in Flamingo amf-serializer by Exadel, version 2.2.0, may allow instantiation of arbitrary classes via their public parameter-less constructor and subsequently call arbitrary Java Beans setter methods. The ability to exploit this vulnerability...

CVE-2017-3201

The Java implementation of AMF3 deserializers used in Flamingo amf-serializer by Exadel, version 2.2.0 derives class instances from java.io.Externalizable rather than the AMF3 specification's recommendation of flash.utils.IExternalizable. A remote attacker with the ability to spoof or control an...

CVE-2017-3202

The Java implementation of AMF3 deserializers used in Flamingo amf-serializer by Exadel, version 2.2.0, may allow instantiation of arbitrary classes via their public parameter-less constructor and subsequently call arbitrary Java Beans setter methods. The ability to exploit this vulnerability...

CVE-2017-3206

The Java implementation of AMF3 deserializers used by Flamingo amf-serializer by Exadel, version 2.2.0, allows external entity references XXEs from XML documents embedded within AMF3 messages. If the XML parsing is handled incorrectly it could potentially expose sensitive data on the server, deni...

Deserialization of untrusted data

The Java implementation of AMF3 deserializers used in Flamingo amf-serializer by Exadel, version 2.2.0, may allow instantiation of arbitrary classes via their public parameter-less constructor and subsequently call arbitrary Java Beans setter methods. The ability to exploit this vulnerability...

Server side request forgery (ssrf)

The Java implementation of AMF3 deserializers used by Flamingo amf-serializer by Exadel, version 2.2.0, allows external entity references XXEs from XML documents embedded within AMF3 messages. If the XML parsing is handled incorrectly it could potentially expose sensitive data on the server, deni...

CVE-2017-3201

The Java implementation of AMF3 deserializers used in Flamingo amf-serializer by Exadel, version 2.2.0 derives class instances from java.io.Externalizable rather than the AMF3 specification's recommendation of flash.utils.IExternalizable. A remote attacker with the ability to spoof or control an...

CVE-2017-3206 The Action Message Format (AMF3) deserializers used by Flamingo amf-serializer by Exadel, version 2.2.0, allows external entity references (XXEs) from XML documents embedded within AMF3 messages

The Java implementation of AMF3 deserializers used by Flamingo amf-serializer by Exadel, version 2.2.0, allows external entity references XXEs from XML documents embedded within AMF3 messages. If the XML parsing is handled incorrectly it could potentially expose sensitive data on the server, deni...

CVE-2017-3202 The implementation of Action Message Format (AMF3) deserializers in Flamingo amf-serializer by Exadel, version 2.2.0, may allow instantiation of arbitrary classes due to improper code control

The Java implementation of AMF3 deserializers used in Flamingo amf-serializer by Exadel, version 2.2.0, may allow instantiation of arbitrary classes via their public parameter-less constructor and subsequently call arbitrary Java Beans setter methods. The ability to exploit this vulnerability...

CVE-2017-3206

CVE-2017-3206 affects Flamingo amf-serializer (Exadel) AMF3 deserializers; version 2.2.0 is vulnerable to XML External Entity (XXE) references from XML in AMF3 messages, potentially exposing data, causing DoS, or enabling SSRF. Remediation: apply an update to a newer version where XXE is addresse...

CVE-2017-3202

The CVE-2017-3202 entry concerns Flamingo amf-serializer (Exadel) 2.2.0, whose AMF3 deserializers may instantiate arbitrary classes via a public no-argument constructor and then invoke Java Beans setters. Exploitation requires that attacker-controlled or spoofable data reach the serdes path and t...

CVE-2017-3201

CVE-2017-3201 affects Flamingo amf-serializer by Exadel, version 2.2.0. The AMF3 deserializer derives class instances from java.io.Externalizable instead of flash.utils.IExternalizable, enabling a remote attacker who can spoof/control an RMI server to send serialized Java objects that execute arb...

CVE-2017-3201 Flamingo amf-serializer by Exadel, version 2.2.0, Action Message Format (AMF3) Java implementation is vulnerable to insecure deserialization

The Java implementation of AMF3 deserializers used in Flamingo amf-serializer by Exadel, version 2.2.0 derives class instances from java.io.Externalizable rather than the AMF3 specification's recommendation of flash.utils.IExternalizable. A remote attacker with the ability to spoof or control an...

Exadel Flamingo Remote Code Execution Vulnerability (CNVD-2017-10732)

Exadel Flamingo is a set of tools for bootstrapping RIA applications built with a Java backend. A remote code execution vulnerability exists in Exadel Flamingo version 2.2.0. A remote attacker could exploit this vulnerability to execute arbitrary code in the context of an affected application...

Exadel Flamingo Remote Code Execution Vulnerability

Exadel Flamingo is a set of tools for bootstrapping RIA applications built with a Java backend. A remote code execution vulnerability exists in Exadel Flamingo version 2.2.0. A remote attacker could exploit this vulnerability to execute arbitrary code in the context of an affected application...

Exadel Flamingo XML External Entity Injection Vulnerability

Exadel Flamingo is a set of tools for bootstrapping RIA applications built with a Java backend. An XML external entity injection vulnerability exists in Exadel Flamingo version 2.2.0. An attacker could exploit this vulnerability to obtain sensitive information or cause a denial of service...

AMF3 Java implementations Improper Control of Dynamically-Managed Code Resources

Details reference: https://codewhitesec.blogspot.kr/2017/04/amf.html Some Java implementations of AMF3 deserializers may allow instantiation of arbitrary classes via their public parameter-less constructor and subsequently call arbitrary Java Beans setter methods. The ability to exploit this...

AMF3 Java implementations Improper Restriction of XML External Entity Reference ('XXE')

A detailed analysis of the reference: https://codewhitesec.blogspot.kr/2017/04/amf.html Some Java implementations of AMF3 deserializers allow the external entity references XXEs from XML documents embedded within AMF3 messages. If the XML parsing is handled incorrectly it could potentially expose...

AMF3 Java implementations deserialization Vulnerability

Details reference: https://codewhitesec.blogspot.kr/2017/04/amf.html Some Java implementations of AMF3 deserializers derive class instances from java. io. Externalizable rather than the AMF3 specification's recommendation of a flash. utils. IExternalizable. A remote attacker with the ability to...