Description

The Java implementation of AMF3 deserializers used by WebORB for Java by Midnight Coders, version 5.1.1.0, allows external entity references (XXEs) from XML documents embedded within AMF3 messages. If the XML parsing is handled incorrectly it could potentially expose sensitive data on the server, denial of service, or server side request forgery.

Remediation

References

http://www.securityfocus.com/bid/97384

http://www.securityweek.com/flaws-java-amf-libraries-allow-remote-code-execution

https://codewhitesec.blogspot.com/2017/04/amf.html

https://www.kb.cert.org/vuls/id/307983

Related Vulnerabilities

CVE-2019-1003045 Vulnerability in maven package de.eacg:ecs-publisher

CVE-2020-8127 Vulnerability in npm package reveal.js

CVE-2020-2259 Vulnerability in maven package org.jenkins-ci.plugins:computer-queue-plugin

CVE-2022-24433 Vulnerability in npm package simple-git

CVE-2020-7637 Vulnerability in npm package class-transformer

Severity

Critical

Classification

CWE-611 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Third Party Advisory VDB Entry Exploit US Government Resource