CVE-2017-3203

CVE-2017-3203: Pivotal/Spring Spring-flex's Action Message Format (AMF3) Java implementation is vulnerable to insecure deserialization

Vendor Pivotal/Spring

Product Spring-flex

Weakness CWE-502 · Unsafe deserialization

Published June 11, 2018

Last update August 5, 2024

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

The Java implementations of AMF3 deserializers in Pivotal/Spring Spring-flex derive class instances from java.io.Externalizable rather than the AMF3 specification's recommendation of flash.utils.IExternalizable. A remote attacker with the ability to spoof or control an RMI server connection may be able to send serialized Java objects that execute arbitrary code when deserialized.

Key dates

Disclosure timeline

June 11, 2018 CVE published

August 5, 2024 Record updated