Vulnerability Description
The Java implementation of AMF3 deserializers used by Flamingo amf-serializer by Exadel, version 2.2.0, allows external entity references (XXEs) from XML documents embedded within AMF3 messages. If the XML parsing is handled incorrectly it could potentially expose sensitive data on the server, denial of service, or server side request forgery.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Exadel | Flamingo | 2.2.0 |
Related Weaknesses (CWE)
References
- http://www.securityfocus.com/bid/97380Third Party AdvisoryVDB Entry
- http://www.securityweek.com/flaws-java-amf-libraries-allow-remote-code-executionThird Party Advisory
- https://codewhitesec.blogspot.com/2017/04/amf.htmlExploitThird Party Advisory
- https://www.kb.cert.org/vuls/id/307983Third Party AdvisoryUS Government Resource
- http://www.securityfocus.com/bid/97380Third Party AdvisoryVDB Entry
- http://www.securityweek.com/flaws-java-amf-libraries-allow-remote-code-executionThird Party Advisory
- https://codewhitesec.blogspot.com/2017/04/amf.htmlExploitThird Party Advisory
- https://www.kb.cert.org/vuls/id/307983Third Party AdvisoryUS Government Resource
FAQ
What is CVE-2017-3206?
CVE-2017-3206 is a vulnerability with a CVSS score of 9.8 (CRITICAL). The Java implementation of AMF3 deserializers used by Flamingo amf-serializer by Exadel, version 2.2.0, allows external entity references (XXEs) from XML documents embedded within AMF3 messages. If th...
How severe is CVE-2017-3206?
CVE-2017-3206 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2017-3206?
Check the references section above for vendor advisories and patch information. Affected products include: Exadel Flamingo.