High severityNVD Advisory· Published Jun 11, 2018· Updated Aug 5, 2024

Pivotal/Spring Spring-flex's Action Message Format (AMF3) Java implementation is vulnerable to insecure deserialization

CVE-2017-3203

Description

The Java implementations of AMF3 deserializers in Pivotal/Spring Spring-flex derive class instances from java.io.Externalizable rather than the AMF3 specification's recommendation of flash.utils.IExternalizable. A remote attacker with the ability to spoof or control an RMI server connection may be able to send serialized Java objects that execute arbitrary code when deserialized.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.springframework.flex:spring-flexMaven	<= 1.5.2.RELEASE	—

Affected products

Spring Projects/Spring Flexv5
Range: 0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-8v4h-j42h-wfhcghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2017-3203ghsaADVISORY
www.kb.cert.org/vuls/id/307983ghsathird-party-advisoryx_refsource_CERT-VNWEB
www.securityweek.com/flaws-java-amf-libraries-allow-remote-code-executionghsax_refsource_MISCWEB
codewhitesec.blogspot.com/2017/04/amf.htmlghsax_refsource_MISCWEB
www.securityfocus.com/bid/97376mitrevdb-entryx_refsource_BID

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.011
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000