CVE-2015-3269

Name of the Vulnerable Software and Affected Versions Apache Flex BlazeDS versions 3.0.x through 3.0.0.354170 Apache Flex BlazeDS versions 4.5 through 4.5.1.354169 Apache Flex BlazeDS versions 4.6.2 through 4.6.2.354169 Apache Flex BlazeDS versions 4.7 through 4.7.0.354169

Description The issue allows remote attackers to read arbitrary files via an AMF message containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. This can enable an attacker to view the contents of any file on the server or perform network scanning of internal and external infrastructure.

Recommendations For versions 3.0.x through 3.0.0.354170, update to version 3.0.0.354170 or later. For versions 4.5 through 4.5.1.354169, update to version 4.5.1.354169 or later. For versions 4.6.2 through 4.6.2.354169, update to version 4.6.2.354169 or later. For versions 4.7 through 4.7.0.354169, update to version 4.7.0.354169 or later. As a temporary workaround, consider restricting access to the XML external entity processing functionality until a patch is available.