Description

The Java implementation of AMF3 deserializers used by WebORB for Java by Midnight Coders, version 5.1.1.0, allows external entity references (XXEs) from XML documents embedded within AMF3 messages. If the XML parsing is handled incorrectly it could potentially expose sensitive data on the server, denial of service, or server side request forgery.

Remediation

References

http://www.securityfocus.com/bid/97384

http://www.securityweek.com/flaws-java-amf-libraries-allow-remote-code-execution

https://codewhitesec.blogspot.com/2017/04/amf.html

https://www.kb.cert.org/vuls/id/307983

Related Vulnerabilities

CVE-2012-0392 Vulnerability in maven package org.apache.struts.xwork:xwork-core

CVE-2022-25900 Vulnerability in npm package git-clone

CVE-2022-31151 Vulnerability in maven package org.webjars.npm:undici

CVE-2020-26302 Vulnerability in npm package is_js

CVE-2014-9970 Vulnerability in maven package org.jasypt:jasypt

Severity

Critical

Classification

CWE-611 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Third Party Advisory VDB Entry Exploit US Government Resource