{ "CVE_data_meta" : { "ASSIGNER" : "cert@cert.org", "ID" : "CVE-2017-3199", "STATE" : "PUBLIC", "TITLE" : "GraniteDS, version 3.1.1.GA, Action Message Format (AMF3) Java implementation is vulnerable to insecure deserialization" }, "affects" : { "vendor" : { "vendor_data" : [ { "product" : { "product_data" : [ { "product_name" : "Framework", "version" : { "version_data" : [ { "affected" : "=", "version_name" : "3.1.1.GA", "version_value" : "3.1.1.GA" } ] } } ] }, "vendor_name" : "GraniteDS" } ] } }, "data_format" : "MITRE", "data_type" : "CVE", "data_version" : "4.0", "description" : { "description_data" : [ { "lang" : "eng", "value" : "The Java implementation of GraniteDS, version 3.1.1.GA, AMF3 deserializers derives class instances from java.io.Externalizable rather than the AMF3 specification's recommendation of flash.utils.IExternalizable. A remote attacker with the ability to spoof or control an RMI server connection may be able to send serialized Java objects that execute arbitrary code when deserialized." } ] }, "problemtype" : { "problemtype_data" : [ { "description" : [ { "lang" : "eng", "value" : "CWE-502: Deserialization of Untrusted Data" } ] } ] }, "references" : { "reference_data" : [ { "name" : "http://www.securityweek.com/flaws-java-amf-libraries-allow-remote-code-execution", "refsource" : "MISC", "url" : "http://www.securityweek.com/flaws-java-amf-libraries-allow-remote-code-execution" }, { "name" : "https://codewhitesec.blogspot.com/2017/04/amf.html", "refsource" : "MISC", "url" : "https://codewhitesec.blogspot.com/2017/04/amf.html" }, { "name" : "VU#307983", "refsource" : "CERT-VN", "url" : "https://www.kb.cert.org/vuls/id/307983" }, { "name" : "97382", "refsource" : "BID", "url" : "http://www.securityfocus.com/bid/97382" } ] }, "source" : { "discovery" : "UNKNOWN" } }