CVE-2015-5255

Name of the Vulnerable Software and Affected Versions Adobe BlazeDS versions prior to 3.0.0.354175 Adobe BlazeDS versions 3.1.x prior to 3.1.0.354180 Adobe BlazeDS versions 4.5.x prior to 4.5.1.354177 Adobe BlazeDS versions 4.6.2.x prior to 4.6.2.354178 Adobe BlazeDS versions 4.7.x prior to 4.7.0.354178 ColdFusion versions 10 prior to Update 18 ColdFusion versions 11 prior to Update 7 LiveCycle Data Services versions 3.0.x prior to 3.0.0.354175

Description The issue exists due to insufficient input validation in the Adobe BlazeDS component. This can be exploited by a remote attacker to redirect HTTP traffic to internal servers using a specially crafted XML document related to a Server-Side Request Forgery (SSRF) issue.

Recommendations For Adobe BlazeDS versions prior to 3.0.0.354175, update to version 3.0.0.354175 or later. For Adobe BlazeDS versions 3.1.x prior to 3.1.0.354180, update to version 3.1.0.354180 or later. For Adobe BlazeDS versions 4.5.x prior to 4.5.1.354177, update to version 4.5.1.354177 or later. For Adobe BlazeDS versions 4.6.2.x prior to 4.6.2.354178, update to version 4.6.2.354178 or later. For Adobe BlazeDS versions 4.7.x prior to 4.7.0.354178, update to version 4.7.0.354178 or later. For ColdFusion versions 10, apply Update 18 or later. For ColdFusion versions 11, apply Update 7 or later. For LiveCycle Data Services versions 3.0.x, update to version 3.0.0.354175 or later.