GHSA-8m35-r25c-qr56
Suggest an improvement- Source
- https://github.com/advisories/GHSA-8m35-r25c-qr56
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-8m35-r25c-qr56/GHSA-8m35-r25c-qr56.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-8m35-r25c-qr56
- Aliases
-
- CVE-2017-3199
- Published
- 2022-05-13T01:28:41Z
- Modified
- 2024-02-16T08:20:23.643690Z
- Severity
-
- 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- GraniteDS Insecure Deserialization
- Details
-
The Java implementation of GraniteDS, version 3.1.1.GA, AMF3 deserializers derives class instances from java.io.Externalizable rather than the AMF3 specification's recommendation of flash.utils.IExternalizable. A remote attacker with the ability to spoof or control an RMI server connection may be able to send serialized Java objects that execute arbitrary code when deserialized.
- Database specific
{ "github_reviewed": true, "cwe_ids": [ "CWE-502" ], "github_reviewed_at": "2023-07-25T23:03:24Z", "nvd_published_at": "2018-06-11T17:29:00Z", "severity": "HIGH" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2017-3199
- https://codewhitesec.blogspot.com/2017/04/amf.html
- https://github.com/graniteds/graniteds
- https://web.archive.org/web/20210124021547/http://www.securityfocus.com/bid/97382
- https://www.kb.cert.org/vuls/id/307983
- http://www.securityweek.com/flaws-java-amf-libraries-allow-remote-code-execution
Affected packages
Maven / org.graniteds:granite-core
Package
- Name
- org.graniteds:granite-core
- View open source insights on deps.dev
- Purl
- pkg:maven/org.graniteds/granite-core