CVE-2017-5878
CRITICALRed5 Media Server < 1.0.8 - Remote Code Execution via AMF Deserialization
Title source: llmDescription
The AMF unmarshallers in Red5 Media Server before 1.0.8 do not restrict the classes for which it performs deserialization, which allows remote attackers to execute arbitrary code via crafted serialized Java data.
References (2)
Core 2
Core References
Third Party Advisory x_refsource_misc
https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2017/05/22/2
Scores
CVSS v3
9.8
EPSS
0.0272
EPSS Percentile
84.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-502
Status
published
Products (7)
red5/media_server
1.0.2 (2 CPE variants)
red5/media_server
1.0.3
red5/media_server
1.0.4
red5/media_server
1.0.5
red5/media_server
1.0.6
red5/media_server
1.0.7 (8 CPE variants)
red5/media_server
1.0.8 milestone1 (13 CPE variants)
Published
Jun 08, 2017
Tracked Since
Feb 18, 2026