GHSA-w8v7-prhw-xjpw

Source

https://github.com/advisories/GHSA-w8v7-prhw-xjpw

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-w8v7-prhw-xjpw/GHSA-w8v7-prhw-xjpw.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-w8v7-prhw-xjpw

Aliases

CVE-2017-5641

Published

2022-05-13T01:02:10Z

Modified

2024-02-16T08:00:32.866084Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Apache Flex BlazeDS unsafe deserialization

Details

Previous versions of Apache Flex BlazeDS (4.7.2 and earlier) did not restrict which types were allowed for AMF(X) object deserialization by default. During the deserialization process code is executed that for several known types has undesired side-effects. Other, unknown types may also exhibit such behaviors. One vector in the Java standard library exists that allows an attacker to trigger possibly further exploitable Java deserialization of untrusted data. Other known vectors in third party libraries can be used to trigger remote code execution.

Database specific

{
    "nvd_published_at": "2017-12-28T15:29:00Z",
    "cwe_ids": [
        "CWE-502"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-25T21:59:21Z"
}

References

Affected packages

Maven / org.apache.flex.blazeds:flex-messaging-core

Package

Name: org.apache.flex.blazeds:flex-messaging-core; View open source insights on deps.dev
Purl: pkg:maven/org.apache.flex.blazeds/flex-messaging-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.7.3

Affected versions

4.*

4.7.0

4.7.1

4.7.2

Database specific

{
    "last_known_affected_version_range": "<= 4.7.2"
}

Maven / org.apache.flex.blazeds:flex-messaging-remoting