PT-2018-7255 · Midnight Coders · Weborb For Java
Published
2018-06-11
·
Updated
2018-08-06
·
CVE-2017-3208
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions:
WebORB for Java version 5.1.1.0
Description:
The issue concerns the Java implementation of AMF3 deserializers in WebORB for Java, which allows external entity references (XXEs) from XML documents embedded within AMF3 messages. This could potentially expose sensitive data on the server, lead to denial of service, or enable server-side request forgery.
Recommendations:
For version 5.1.1.0, consider disabling the AMF3 deserialization functionality until a patch is available to prevent potential exploitation. Restrict access to sensitive data on the server and monitor for signs of denial of service or server-side request forgery.
Exploit
Fix
XXE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Weborb For Java