CVE-2017-3200

CVE-2017-3200: The implementation of Action Message Format (AMF3) deserializers in GraniteDS, version 3.1.1.GA, may allow instantiation of arbitrary classes due to improper code control

Vendor Graniteds
Product Framework
Weakness CWE-913
Published June 11, 2018
Last update August 5, 2024

CVSS base score

What the vulnerability does

01Description

The Java implementation of AMF3 deserializers used in GraniteDS, version 3.1.1.G, may allow instantiation of arbitrary classes via their public parameter-less constructor and subsequently call arbitrary Java Beans setter methods. The ability to exploit this vulnerability depends on the availability of classes in the class path that make use of deserialization. A remote attacker with the ability to spoof or control information may be able to send serialized Java objects with pre-set properties that result in arbitrary code execution when deserialized.

Key dates

02Disclosure timeline

June 11, 2018 CVE published
August 5, 2024 Record updated