CVE-2017-7504 - AskarLabs CVE Database

CVE-2017-7504

Vendor Red Hat, Inc.

Product JBoss

Weakness CWE-502 · Unsafe deserialization

Published May 19, 2017

Last update August 5, 2024

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

01Description

HTTPServerILServlet.java in JMS over HTTP Invocation Layer of the JbossMQ implementation, which is enabled by default in Red Hat Jboss Application Server <= Jboss 4.X does not restrict the classes for which it performs deserialization, which allows remote attackers to execute arbitrary code via crafted serialized data.

Key dates

02Disclosure timeline

May 19, 2017 CVE published

August 5, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2017-7504 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/502.html

Related vulnerabilities

04Related CVE

CVE-2022-29063 Java Deserialization via RMI Connection from the Solr plugin of Apache OFBiz CVE-2023-34434 Apache InLong: JDBC URL bypassing by allowLoadLocalInfileInPath param CVE-2026-7654 Admin Columns <= 7.0.18 - Authenticated (Contributor+) PHP Object Injection to Remote Code Execution via Custom Field Meta Value CVE-2023-38155 Azure DevOps Server Remote Code Execution Vulnerability CVE-2026-27438 WordPress Kingler theme <= 1.7 - PHP Object Injection vulnerability