CVE-2017-3203: Deserialization of Untrusted Data in Spring-flex
8.1
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.93999%
CWE
Published
5/13/2022
Updated
1/27/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.springframework.flex:spring-flex | maven | <= 1.5.2.RELEASE |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from using Java's Externalizable interface rather than the Flash IExternalizable specification. This implementation choice allows attackers to leverage Java's Externalizable classes (like sun.rmi.server.UnicastRef
) during AMF3 deserialization. The readObject
method in the AMF3 deserializer would be responsible for instantiating these classes and calling their readExternal
method, which can trigger dangerous RMI operations. While exact file paths aren't provided in public disclosures, the core issue is clearly tied to the AMF3 deserialization logic handling Externalizable types.