Critical severity9.8NVD Advisory· Published Dec 28, 2017· Updated Jun 17, 2026
CVE-2017-5641
CVE-2017-5641
Description
Previous versions of Apache Flex BlazeDS (4.7.2 and earlier) did not restrict which types were allowed for AMF(X) object deserialization by default. During the deserialization process code is executed that for several known types has undesired side-effects. Other, unknown types may also exhibit such behaviors. One vector in the Java standard library exists that allows an attacker to trigger possibly further exploitable Java deserialization of untrusted data. Other known vectors in third party libraries can be used to trigger remote code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.flex.blazeds:flex-messaging-coreMaven | < 4.7.3 | 4.7.3 |
org.apache.flex.blazeds:flex-messaging-remotingMaven | < 4.7.3 | 4.7.3 |
Affected products
5- cpe:2.3:a:hp:xp_command_view_advanced_edition:*:*:*:*:*:*:*:*Range: <8.5.3-00
- ghsa-coords2 versionspkg:maven/org.apache.flex.blazeds/flex-messaging-corepkg:maven/org.apache.flex.blazeds/flex-messaging-remoting
< 4.7.3+ 1 more
- (no CPE)range: < 4.7.3
- (no CPE)range: < 4.7.3
- Apache Software Foundation/Apache Flex Blaze DSv5Range: before 4.7.3
Patches
Vulnerability mechanics
References
17- github.com/advisories/GHSA-w8v7-prhw-xjpwghsaADVISORY
- issues.apache.org/jira/browse/FLEX-35290nvdIssue TrackingVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2017-5641ghsaADVISORY
- support.hpe.com/hpsc/doc/public/displaynvdThird Party AdvisoryWEB
- www.kb.cert.org/vuls/id/307983nvdThird Party AdvisoryUS Government ResourceWEB
- www.zerodayinitiative.com/advisories/ZDI-22-506/nvdThird Party AdvisoryVDB Entry
- www.zerodayinitiative.com/advisories/ZDI-22-507/nvdThird Party AdvisoryVDB Entry
- mail-archives.apache.org/mod_mbox/flex-dev/201703.mbox/%3C6B86C8D0-6E36-48F5-AC81-4AB3978F6746@c-ware.de%3EghsaWEB
- www.securityfocus.com/bid/97383nvdBroken Link
- www.securitytracker.com/id/1038273nvdBroken Link
- github.com/apache/flex-blazeds/commit/11b0aa132d9a43bf81fa12654ff227ff247b4627ghsaWEB
- github.com/apache/flex-blazeds/commit/f861f0993c35e664906609cad275e45a71e2aaf1ghsaWEB
- web.archive.org/web/20170920093830/http://www.securitytracker.com/id/1038273ghsaWEB
- web.archive.org/web/20210124021605/http://www.securityfocus.com/bid/97383ghsaWEB
- www.zerodayinitiative.com/advisories/ZDI-22-506ghsaWEB
- www.zerodayinitiative.com/advisories/ZDI-22-507ghsaWEB
- mail-archives.apache.org/mod_mbox/flex-dev/201703.mbox/%3C6B86C8D0-6E36-48F5-AC81-4AB3978F6746%40c-ware.de%3Envd
News mentions
0No linked articles in our index yet.