Description
Adobe LiveCycle Data Services 3.1 and earlier, LiveCycle 9.0.0.2 and earlier, and BlazeDS 4.0.1 and earlier do not properly restrict creation of classes during deserialization of (1) AMF and (2) AMFX data, which allows attackers to have an unspecified impact via unknown vectors, related to a "deserialization vulnerability."
References (3)
Core 3
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id?1025656
Patch, Vendor Advisory x_refsource_confirm
http://www.adobe.com/support/security/bulletins/apsb11-15.html
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id?1025657
Scores
EPSS
0.0606
EPSS Percentile
92.5%
Details
CWE
CWE-20
Status
published
Products (14)
adobe/blazeds
< 4.0.1
adobe/livecycle
6.0
adobe/livecycle
7.0
adobe/livecycle
8.0.1
adobe/livecycle
8.0.1.1
adobe/livecycle
8.0.1.2
adobe/livecycle
8.2.1.3
adobe/livecycle
< 9.0.0.2
adobe/livecycle_data_services
2.5
adobe/livecycle_data_services
2.5.1
... and 4 more
Published
Jun 16, 2011
Tracked Since
Feb 18, 2026