CVE-2017-3203

NONE EPSS 92.8%
Published Jun 11, 20188y ago · Modified Jun 17, 20262w ago
Find Similar
Published Jun 11, 2018 8y ago
Last Modified Jun 17, 2026 2w ago

Description

The Java implementations of AMF3 deserializers in Pivotal/Spring Spring-flex derive class instances from java.io.Externalizable rather than the AMF3 specification's recommendation of flash.utils.IExternalizable. A remote attacker with the ability to spoof or control an RMI server connection may be able to send serialized Java objects that execute arbitrary code when deserialized.

Threat Intelligence

EPSS Exploit Probability
92.8% percentile
Exploit & Patch Status
Public Exploit Known
No Patch Available

Weaknesses 1

CWE-502 Deserialization of Untrusted Data Validation

Affected Products 1

VendorProductVersionRange
pivotalspring-flex*any

References 4

  • securityweek.com http://www.securityweek.com/flaws-java-amf-libraries-allow-remote-code-execution
    Third Party Advisory
  • codewhitesec.blogspot.com https://codewhitesec.blogspot.com/2017/04/amf.html
    ExploitMitigationThird Party Advisory
  • kb.cert.org https://www.kb.cert.org/vuls/id/307983
    Third Party AdvisoryUS Government Resource
  • securityfocus.com https://www.securityfocus.com/bid/97376
    Third Party AdvisoryVDB Entry

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.