Vulnerability Description
The Java implementation of AMF3 deserializers used by WebORB for Java by Midnight Coders, version 5.1.1.0, allows external entity references (XXEs) from XML documents embedded within AMF3 messages. If the XML parsing is handled incorrectly it could potentially expose sensitive data on the server, denial of service, or server side request forgery.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Themidnightcoders | Weborb For Java | 5.1.1.0 |
Related Weaknesses (CWE)
References
- http://www.securityfocus.com/bid/97384Third Party AdvisoryVDB Entry
- http://www.securityweek.com/flaws-java-amf-libraries-allow-remote-code-executionThird Party Advisory
- https://codewhitesec.blogspot.com/2017/04/amf.htmlExploitThird Party Advisory
- https://www.kb.cert.org/vuls/id/307983Third Party AdvisoryUS Government Resource
- http://www.securityfocus.com/bid/97384Third Party AdvisoryVDB Entry
- http://www.securityweek.com/flaws-java-amf-libraries-allow-remote-code-executionThird Party Advisory
- https://codewhitesec.blogspot.com/2017/04/amf.htmlExploitThird Party Advisory
- https://www.kb.cert.org/vuls/id/307983Third Party AdvisoryUS Government Resource
FAQ
What is CVE-2017-3208?
CVE-2017-3208 is a vulnerability with a CVSS score of 9.8 (CRITICAL). The Java implementation of AMF3 deserializers used by WebORB for Java by Midnight Coders, version 5.1.1.0, allows external entity references (XXEs) from XML documents embedded within AMF3 messages. If...
How severe is CVE-2017-3208?
CVE-2017-3208 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2017-3208?
Check the references section above for vendor advisories and patch information. Affected products include: Themidnightcoders Weborb For Java.