Description

HTTPServerILServlet.java in JMS over HTTP Invocation Layer of the JbossMQ implementation, which is enabled by default in Red Hat Jboss Application Server <= Jboss 4.X does not restrict the classes for which it performs deserialization, which allows remote attackers to execute arbitrary code via crafted serialized data.

Remediation

References

CVE-2017-7504

Related Vulnerabilities

WordPress Plugin Gravity Forms Dynamics CRM Cross-Site Scripting (1.0.7)

WordPress Plugin PowerPress Podcasting by Blubrry Arbitrary File Upload (8.3.7)

WordPress Plugin Backup Migration Cross-Site Scripting (1.1.5)

Oracle JRE CVE-2012-0547 Vulnerability (CVE-2012-0547)

WordPress 5.1.x Multiple Vulnerabilities (5.1 - 5.1.8)

Severity

Critical

Classification

CVE-2017-7504 CWE-502 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities