Description
The AMF unmarshallers in Red5 Media Server before 1.0.8 do not restrict the classes for which it performs deserialization, which allows remote attackers to execute arbitrary code via crafted serialized Java data.
Remediation
References
http://www.openwall.com/lists/oss-security/2017/05/22/2
https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true
Related Vulnerabilities
CVE-2021-43466 Vulnerability in maven package org.thymeleaf:thymeleaf-spring5
CVE-2021-23353 Vulnerability in maven package org.webjars.bower:jspdf
CVE-2019-10363 Vulnerability in maven package io.jenkins:configuration-as-code
CVE-2023-31206 Vulnerability in maven package org.apache.inlong:manager-test
CVE-2022-34662 Vulnerability in maven package org.apache.dolphinscheduler:dolphinscheduler-api