CVE-2017-3207

CVE-2017-3207: WebORB for Java by Midnight Coders, version 5.1.1.0, Action Message Format (AMF3) Java implementation is vulnerable to insecure deserialization

Vendor Midnight Coders

Product WebORB for Java

Weakness CWE-502 · Unsafe deserialization

Published June 11, 2018

Last update August 5, 2024

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

The Java implementations of AMF3 deserializers in WebORB for Java by Midnight Coders, version 5.1.1.0, derive class instances from java.io.Externalizable rather than the AMF3 specification's recommendation of flash.utils.IExternalizable. A remote attacker with the ability to spoof or control an RMI server connection may be able to send serialized Java objects that execute arbitrary code when deserialized.

Key dates

Disclosure timeline

June 11, 2018 CVE published

August 5, 2024 Record updated