CVE-2017-3208
CRITICALWebORB for Java 5.1.1.0 - XML External Entity Injection via AMF3 Message Deserialization
Title source: llmDescription
The Java implementation of AMF3 deserializers used by WebORB for Java by Midnight Coders, version 5.1.1.0, allows external entity references (XXEs) from XML documents embedded within AMF3 messages. If the XML parsing is handled incorrectly it could potentially expose sensitive data on the server, denial of service, or server side request forgery.
References (4)
Core 4
Core References
Exploit, Third Party Advisory x_refsource_misc
https://codewhitesec.blogspot.com/2017/04/amf.html
Third Party Advisory, US Government Resource third-party-advisory
x_refsource_cert-vn
https://www.kb.cert.org/vuls/id/307983
Third Party Advisory x_refsource_misc
http://www.securityweek.com/flaws-java-amf-libraries-allow-remote-code-execution
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/97384
Scores
CVSS v3
9.8
EPSS
0.0400
EPSS Percentile
89.2%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-611
Status
published
Products (1)
themidnightcoders/weborb_for_java
5.1.1.0
Published
Jun 11, 2018
Tracked Since
Feb 18, 2026