[MAVEN:GHSA-8M35-R25C-QR56] GraniteDS Insecure Deserialization

Severity High

Affected Packages 1

CVEs 1

The Java implementation of GraniteDS, version 3.1.1.GA, AMF3 deserializers derives class instances from java.io.Externalizable rather than the AMF3 specification's recommendation of flash.utils.IExternalizable. A remote attacker with the ability to spoof or control an RMI server connection may be able to send serialized Java objects that execute arbitrary code when deserialized.

Package	Affected Version
pkg:maven/org.graniteds/granite-core	<= 3.1.1.GA

ID

MAVEN:GHSA-8M35-R25C-QR56

Severity

high

URL

https://github.com/advisories/GHSA-8m35-r25c-qr56

Published

2022-05-13T01:28:41
(2 years ago)

Modified

2023-10-06T21:21:35
(11 months ago)

Rights

Maven Security Team

Other Advisories

VU:307983

Source	# ID	Name	URL
			https://nvd.nist.gov/vuln/detail/CVE-2017-3199
			https://codewhitesec.blogspot.com/2017/04/amf.html
			https://www.kb.cert.org/vuls/id/307983
			http://www.securityweek.com/flaws-java-amf-libraries-allow-remote-code-execution
			https://web.archive.org/web/20210124021547/http://www.securityfocus.com/bid/97382
			https://github.com/advisories/GHSA-8m35-r25c-qr56

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch	Patch / Fix
Affected	pkg:maven/org.graniteds/granite-core	org.graniteds	granite-core	<= 3.1.1.GA

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date