CVE-2017-3203: Pivotal/Spring Spring-flex's Action Message Format (AMF3) Java implementation is vulnerable to insecure deserialization
First published: Mon Jun 11 2018(Updated: )
The Java implementations of AMF3 deserializers in Pivotal/Spring Spring-flex derive class instances from java.io.Externalizable rather than the AMF3 specification's recommendation of flash.utils.IExternalizable. A remote attacker with the ability to spoof or control an RMI server connection may be able to send serialized Java objects that execute arbitrary code when deserialized.
Credit: cret@cert.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Pivotal Spring-flex |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID?
The vulnerability ID is CVE-2017-3203.
What is the severity of CVE-2017-3203?
The severity of CVE-2017-3203 is high with a score of 8.1.
Which software is affected by CVE-2017-3203?
Pivotal Spring-flex is affected by CVE-2017-3203.
What is the recommended fix for CVE-2017-3203?
Apply the necessary patches provided by the software vendor.
Where can I find more information about CVE-2017-3203?
You can find more information about CVE-2017-3203 at the following references: [1] [2] [3].
- collector/nvd-index
- agent/references
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/author
- agent/severity
- agent/weakness
- agent/title
- agent/last-modified-date
- agent/description
- agent/first-publish-date
- agent/event
- agent/tags
- agent/source
- vendor/pivotal
- canonical/pivotal spring-flex