CVE-2017-3201

HIGH

Exadel Flamingo Amf-serializer - Insecure Deserialization

Title source: rule

Description

The Java implementation of AMF3 deserializers used in Flamingo amf-serializer by Exadel, version 2.2.0 derives class instances from java.io.Externalizable rather than the AMF3 specification's recommendation of flash.utils.IExternalizable. A remote attacker with the ability to spoof or control an RMI server connection may be able to send serialized Java objects that execute arbitrary code when deserialized.

References (4)

Scores

CVSS v3 8.1
EPSS 0.0751
EPSS Percentile 91.7%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE
CWE-502
Status published

Affected Products (1)

exadel/flamingo_amf-serializer

Timeline

Published Jun 11, 2018
Tracked Since Feb 18, 2026