Description
The Java implementation of AMF3 deserializers used by WebORB for Java by Midnight Coders, version 5.1.1.0, allows external entity references (XXEs) from XML documents embedded within AMF3 messages. If the XML parsing is handled incorrectly it could potentially expose sensitive data on the server, denial of service, or server side request forgery.
Remediation
References
http://www.securityfocus.com/bid/97384
http://www.securityweek.com/flaws-java-amf-libraries-allow-remote-code-execution
https://codewhitesec.blogspot.com/2017/04/amf.html
https://www.kb.cert.org/vuls/id/307983
Related Vulnerabilities
CVE-2019-3773 Vulnerability in maven package org.springframework.ws:spring-ws-core
CVE-2012-3451 Vulnerability in maven package org.apache.cxf:cxf-api
CVE-2017-12626 Vulnerability in maven package org.apache.poi:poi-scratchpad
CVE-2022-1243 Vulnerability in maven package org.webjars.npm:urijs
CVE-2014-0073 Vulnerability in npm package cordova-plugin-inappbrowser