CVE-2017-3206

The Action Message Format (AMF3) deserializers used by Flamingo amf-serializer by Exadel, version 2.2.0, allows external entity references (XXEs) from XML documents embedded within AMF3 messages

EPSS 3.7%CWE-611

Vexday Risk Score

3Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS —EPSS 3.7%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

11 jun 2018Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

The Java implementation of AMF3 deserializers used by Flamingo amf-serializer by Exadel, version 2.2.0, allows external entity references (XXEs) from XML documents embedded within AMF3 messages. If the XML parsing is handled incorrectly it could potentially expose sensitive data on the server, denial of service, or server side request forgery.

Productos afectados

Exadel · Flamingo amf-serializer

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://codewhitesec.blogspot.com/2017/04/amf.html https://www.kb.cert.org/vuls/id/307983 http://www.securityfocus.com/bid/97380 http://www.securityweek.com/flaws-java-amf-libraries-allow-remote-code-execution