Description

The Java implementation of AMF3 deserializers used by WebORB for Java by Midnight Coders, version 5.1.1.0, allows external entity references (XXEs) from XML documents embedded within AMF3 messages. If the XML parsing is handled incorrectly it could potentially expose sensitive data on the server, denial of service, or server side request forgery.

Remediation

References

http://www.securityfocus.com/bid/97384

http://www.securityweek.com/flaws-java-amf-libraries-allow-remote-code-execution

https://codewhitesec.blogspot.com/2017/04/amf.html

https://www.kb.cert.org/vuls/id/307983

Related Vulnerabilities

CVE-2019-3773 Vulnerability in maven package org.springframework.ws:spring-ws-core

CVE-2012-3451 Vulnerability in maven package org.apache.cxf:cxf-api

CVE-2017-12626 Vulnerability in maven package org.apache.poi:poi-scratchpad

CVE-2022-1243 Vulnerability in maven package org.webjars.npm:urijs

CVE-2014-0073 Vulnerability in npm package cordova-plugin-inappbrowser

Severity

Critical

Classification

CWE-611 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Third Party Advisory VDB Entry Exploit US Government Resource