The AMF unmarshallers in Red5 Media Server before 1.0.8 do not restrict the classes for which it performs deserialization, which allows remote attackers to execute arbitrary code via crafted serialized Java data.
References
Link | Resource |
---|---|
http://www.openwall.com/lists/oss-security/2017/05/22/2 | Mailing List Third Party Advisory |
https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true | Third Party Advisory |
http://www.openwall.com/lists/oss-security/2017/05/22/2 | Mailing List Third Party Advisory |
https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true | Third Party Advisory |
Configurations
Configuration 1 (hide)
|
History
21 Nov 2024, 03:28
Type | Values Removed | Values Added |
---|---|---|
References | () http://www.openwall.com/lists/oss-security/2017/05/22/2 - Mailing List, Third Party Advisory | |
References | () https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true - Third Party Advisory |
Information
Published : 2017-06-08 16:29
Updated : 2024-11-21 03:28
NVD link : CVE-2017-5878
Mitre link : CVE-2017-5878
CVE.ORG link : CVE-2017-5878
JSON object : View
Products Affected
red5
- media_server
CWE
CWE-502
Deserialization of Untrusted Data