EUVD-2015-3321

Malicious code in bioql PyPI...

GHSA-W8V7-PRHW-XJPW Apache Flex BlazeDS unsafe deserialization

Previous versions of Apache Flex BlazeDS 4.7.2 and earlier did not restrict which types were allowed for AMFX object deserialization by default. During the deserialization process code is executed that for several known types has undesired side-effects. Other, unknown types may also exhibit such...

Apache Flex BlazeDS unsafe deserialization

Previous versions of Apache Flex BlazeDS 4.7.2 and earlier did not restrict which types were allowed for AMFX object deserialization by default. During the deserialization process code is executed that for several known types has undesired side-effects. Other, unknown types may also exhibit such...

The vulnerability of the Apache Flex BlazeDS component, a software tool for managing devices in OnCell Central Manager networks, allows a malicious individual to view the content of any file on the server or perform network scanning of both internal and external infrastructure.

The vulnerability of the Apache Flex BlazeDS component, a software tool for managing devices in OnCell Central Manager networks, is related to the lack of protection for operational data. Exploiting this vulnerability allows an attacker to remotely access and view the content of any file on the...

The vulnerability of the Apache Flex BlazeDS component, a software tool for managing devices in OnCell Central Manager networks, allows a hacker to execute arbitrary code.

The vulnerability of the Apache Flex BlazeDS component, a software tool for managing devices in OnCell Central Manager networks, is related to deficiencies in the deserialization mechanism. Exploiting this vulnerability allows an attacker operating remotely to execute arbitrary code...

U.S. Dept Of Defense: [HTAF4-213] [Pre-submission] Unsafe AMF deserialization (CVE-2017-5641) in Apache Flex BlazeDS at the https://www.███████/daip/messagebroker/amf

The vulnerability was an unsafe AMF Action Message Format deserialization issue in Apache Flex BlazeDS, affecting the /daip/messagebroker/amf endpoint. Successful exploitation could allow an attacker to trigger a DNS lookup by sending a crafted AMF payload. The vulnerability was identified and...

Deserialization of untrusted data

Previous versions of Apache Flex BlazeDS 4.7.2 and earlier did not restrict which types were allowed for AMFX object deserialization by default. During the deserialization process code is executed that for several known types has undesired side-effects. Other, unknown types may also exhibit such...

CVE-2017-5641

Previous versions of Apache Flex BlazeDS 4.7.2 and earlier did not restrict which types were allowed for AMFX object deserialization by default. During the deserialization process code is executed that for several known types has undesired side-effects. Other, unknown types may also exhibit such...

CVE-2017-5641

CVE-2017-5641 is an insecure-deserialization issue in Apache Flex BlazeDS (AMF3) affecting BlazeDS

CVE-2017-5641

Previous versions of Apache Flex BlazeDS 4.7.2 and earlier did not restrict which types were allowed for AMFX object deserialization by default. During the deserialization process code is executed that for several known types has undesired side-effects. Other, unknown types may also exhibit such...

Java AMF3 deserialization vulnerability analysis-vulnerability warning-the black bar safety net

AMF Action Message Format is a binary serialization format, before the main Flash application in using this format. Recently, the Code White found to have multiple Java AMF library in the presence of vulnerabilities, and these vulnerabilities will lead to unauthenticated remote code execution...

AMF3 Java implementations Improper Control of Dynamically-Managed Code Resources

Details reference: https://codewhitesec.blogspot.kr/2017/04/amf.html Some Java implementations of AMF3 deserializers may allow instantiation of arbitrary classes via their public parameter-less constructor and subsequently call arbitrary Java Beans setter methods. The ability to exploit this...

AMF3 Java implementations Improper Restriction of XML External Entity Reference ('XXE')

A detailed analysis of the reference: https://codewhitesec.blogspot.kr/2017/04/amf.html Some Java implementations of AMF3 deserializers allow the external entity references XXEs from XML documents embedded within AMF3 messages. If the XML parsing is handled incorrectly it could potentially expose...

Action Message Format (AMF3) Java implementations are vulnerable to insecure deserialization and XML external entities references

Overview Several Java implementations of AMF3 are vulnerable to insecure deserialization and XML external entities references. Description Several Java implementations of Action Message Format AMF3 are vulnerable to one or more of the following implementation errors:CWE-502: Deserialization of...

HP Operations Manager i Apache Flex BlazeDS External Entity Injection Vulnerability

The remote HP Operations Manager i host is affected by an XML external entity XXE vulnerability in the bundled version of Apache Flex BlazeDS due to an incorrectly configured XML parser accepting XML external entities from an untrusted source. A remote attacker can exploit this, via a specially...

Apache Flex BlazeDS 4.7.1 SSRF

CVE-2015-5255: SSRF vulnerability in Apache Flex BlazeDS 4.7.1 Severity: Important Vendor: The Apache Software Foundation Versions Affected: BlazeDS 4.7.0 and 4.7.1 Description: The code in BlazeDS to deserialize AMF XML datatypes allows so-called SSRF Attacks Server Side Request Forgery in which...

VMware Patches Pesky XXE Bug in Flex BlazeDS

VMware has patched an information disclosure vulnerability affecting a number of its products that use Flex BlazeDS. The original vulnerability was discovered and disclosed in August by Matthias Kaiser of Code White GmbH. Researchers there found a XML External Entity flaw in Apache Flex BlazeDS...

VMware product updates address information disclosure issue.

a. vCenter Server, vCloud Director, Horizon View information disclosure issue VMware products that use Flex BlazeDS may be affected by a flaw in the processing of XML External Entity XXE requests. A specially crafted XML request sent to the server could lead to unintended information be disclosed...

VMSA-2015-0008:VMware product updates address information disclosure issue.

VMSA-2015-0008.2 VMware product updates address information disclosure issue. VMware Security Advisory VMware Security AdvisoryAdvisory ID: VMSA-2015-0008.2 VMware Security AdvisorySynopsis: VMware product updates address information disclosure issue. VMware Security AdvisoryIssue date: 2015-11-1...

Xxe

Apache Flex BlazeDS, as used in flex-messaging-core.jar in Adobe LiveCycle Data Services LCDS 3.0.x before 3.0.0.354170, 4.5 before 4.5.1.354169, 4.6.2 before 4.6.2.354169, and 4.7 before 4.7.0.354169 and other products, allows remote attackers to read arbitrary files via an AMF message containin...