CVE-2017-3203
NONE EPSS 92.8%
Published Jun 11, 20188y ago · Modified Jun 17, 20262w ago
Published Jun 11, 2018 8y ago
Last Modified Jun 17, 2026 2w ago
Description
The Java implementations of AMF3 deserializers in Pivotal/Spring Spring-flex derive class instances from java.io.Externalizable rather than the AMF3 specification's recommendation of flash.utils.IExternalizable. A remote attacker with the ability to spoof or control an RMI server connection may be able to send serialized Java objects that execute arbitrary code when deserialized.
Threat Intelligence
EPSS Exploit Probability
92.8% percentile
Exploit & Patch Status
Public Exploit Known
No Patch Available
Weaknesses 1
CWE-502 Deserialization of Untrusted Data Validation
Affected Products 1
| Vendor | Product | Version | Range |
|---|---|---|---|
| pivotal | spring-flex | * | any |
References 4
- securityweek.com http://www.securityweek.com/flaws-java-amf-libraries-allow-remote-code-execution
- codewhitesec.blogspot.com https://codewhitesec.blogspot.com/2017/04/amf.html
- kb.cert.org https://www.kb.cert.org/vuls/id/307983
- securityfocus.com https://www.securityfocus.com/bid/97376
Remediation
No remediation data recorded yet
Check vendor advisories and the NVD entry for patch availability.