Description
The Java implementation of AMF3 deserializers used by WebORB for Java by Midnight Coders, version 5.1.1.0, allows external entity references (XXEs) from XML documents embedded within AMF3 messages. If the XML parsing is handled incorrectly it could potentially expose sensitive data on the server, denial of service, or server side request forgery.
Remediation
References
http://www.securityfocus.com/bid/97384
http://www.securityweek.com/flaws-java-amf-libraries-allow-remote-code-execution
https://codewhitesec.blogspot.com/2017/04/amf.html
https://www.kb.cert.org/vuls/id/307983
Related Vulnerabilities
CVE-2022-31197 Vulnerability in maven package org.postgresql:postgresql
CVE-2016-10661 Vulnerability in npm package phantomjs-cheniu
CVE-2022-41828 Vulnerability in maven package com.amazon.redshift:redshift-jdbc42
CVE-2022-21192 Vulnerability in npm package serve-lite
CVE-2020-13936 Vulnerability in maven package org.apache.velocity:velocity-engine-core