Executive Summary
Summary | |
---|---|
Title | Action Message Format (AMF3) Java implementations are vulnerable to insecure deserialization and XML external entities references |
Informations | |||
---|---|---|---|
Name | VU#307983 | First vendor Publication | 2017-04-04 |
Vendor | VU-CERT | Last vendor Modification | 2017-04-14 |
Severity (Vendor) | N/A | Revision | M |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 7.5 | Attack Range | Network |
Cvss Impact Score | 6.4 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Vulnerability Note VU#307983Action Message Format (AMF3) Java implementations are vulnerable to insecure deserialization and XML external entities referencesOverviewSeveral Java implementations of AMF3 are vulnerable to insecure deserialization and XML external entities references. Description
Impact
Solution
Vendor Information (Learn More)
CVSS Metrics (Learn More)
References
CreditThanks to Markus Wulftange for reporting this vulnerability. This document was written by Garret Wassermann. Other Information
FeedbackIf you have feedback, comments, or additional information about this vulnerability, please send us email. |
Original Source
Url : http://www.kb.cert.org/vuls/id/307983 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
73 % | CWE-502 | Deserialization of Untrusted Data |
18 % | CWE-611 | Information Leak Through XML External Entity File Disclosure |
9 % | CWE-200 | Information Exposure |
CPE : Common Platform Enumeration
Information Assurance Vulnerability Management (IAVM)
Date | Description |
---|---|
2015-09-03 | IAVM : 2015-A-0205 - Adobe Cold Fusion Information Disclosure Vulnerability Severity : Category I - VMSKEY : V0061363 |
2015-08-20 | IAVM : 2015-B-0102 - Adobe LiveCycle Data Services Information Disclosure Vulnerability Severity : Category I - VMSKEY : V0061331 |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2017-05-16 | Name : The remote web server hosts a web application that is affected by multiple vu... File : jira_6_3.nasl - Type : ACT_GATHER_INFO |
2017-04-19 | Name : A virtualization appliance installed on the remote host is affected by a remo... File : vmware_vcenter_server_appliance_vmsa-2017-0007.nasl - Type : ACT_GATHER_INFO |
2017-04-19 | Name : A virtualization management application installed on the remote host is affec... File : vmware_vcenter_vmsa-2017-0007.nasl - Type : ACT_GATHER_INFO |
2016-03-09 | Name : The remote host is affected by an external entity injection vulnerability. File : hp_operations_manager_i_hpsbgn03550.nasl - Type : ACT_GATHER_INFO |
2015-12-22 | Name : The remote host has a virtualization management application installed that is... File : vmware_vcenter_vmsa-2015-0008.nasl - Type : ACT_GATHER_INFO |
2015-09-03 | Name : A web-based application running on the remote Windows host is affected by an ... File : coldfusion_win_apsb15-21.nasl - Type : ACT_GATHER_INFO |
2015-04-13 | Name : The remote Windows host has an application installed that is affected by mult... File : vmware_horizon_view_VMSA-2015-0003.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2018-06-11 21:21:56 |
|
2017-12-28 21:23:46 |
|
2017-05-17 13:22:24 |
|
2017-04-20 13:24:14 |
|
2017-04-15 09:25:30 |
|
2017-04-14 17:22:55 |
|
2017-04-10 21:26:10 |
|
2017-04-07 21:22:34 |
|
2017-04-07 17:23:27 |
|
2017-04-06 21:18:47 |
|
2017-04-04 21:22:47 |
|