1. Home
  2. Vulnerabilities
  3. CVE-2017-3203

CVE-2017-3203

CVSS v3.0 8.1 (High)
81% Progress
CVSS v2.0 6.8 (Medium)
68% Progress
EPSS 5.96 % (94th)
5.96% Progress
Affected Products 1
Advisories 2
Info CVSS EPSS CAPEC Affected Configurations References Security Advisories Packages & Software Graph Web & Social Timeline

The Java implementations of AMF3 deserializers in Pivotal/Spring Spring-flex derive class instances from java.io.Externalizable rather than the AMF3 specification's recommendation of flash.utils.IExternalizable. A remote attacker with the ability to spoof or control an RMI server connection may be able to send serialized Java objects that execute arbitrary code when deserialized.

Weaknesses
CWE-502
Deserialization of Untrusted Data
CVE Status
PUBLISHED
CNA
CERT/CC
Published Date
2018-06-11 17:29:00
(6 years ago)
Updated Date
2019-10-09 23:27:22
(5 years ago)

Affected Products

Pivotal

Configuration #1

    CPE23 From Up To
  Pivotal Spring-flex cpe:2.3:a:pivotal:spring-flex