{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-15T12:51:49.222","vulnerabilities":[{"cve":{"id":"CVE-2017-3200","sourceIdentifier":"cret@cert.org","published":"2018-06-11T17:29:00.447","lastModified":"2024-11-21T03:25:01.257","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"The Java implementation of AMF3 deserializers used in GraniteDS, version 3.1.1.G, may allow instantiation of arbitrary classes via their public parameter-less constructor and subsequently call arbitrary Java Beans setter methods. The ability to exploit this vulnerability depends on the availability of classes in the class path that make use of deserialization. A remote attacker with the ability to spoof or control information may be able to send serialized Java objects with pre-set properties that result in arbitrary code execution when deserialized."},{"lang":"es","value":"La implementación de Java de los deserializadores AMF3 empleada en GraniteDS, versión 3.1.1.G, podría permitir la instanciación de clases arbitrarias mediante su constructor público sin parámetros y, en consecuencia, llamar a métodos setter arbitrarios de Java Beans. La capacidad para explotar esta vulnerabilidad depende de la disponibilidad de las clases en la ruta de clase que emplea la deserialización. Un atacante remoto con la capacidad de suplantar o controlar información podría ser capaz de enviar objetos Java serializados con propiedades preestablecidas que resultan en la ejecución de código arbitrario cuando se deserializan."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":8.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.2,"impactScore":5.9}],"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:P/I:P/A:P","baseScore":6.8,"accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"},"baseSeverity":"MEDIUM","exploitabilityScore":8.6,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"weaknesses":[{"source":"cret@cert.org","type":"Secondary","description":[{"lang":"en","value":"CWE-913"}]},{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-502"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:graniteds:graniteds:3.1.1:*:*:*:*:*:*:*","matchCriteriaId":"3B952992-5FE8-4BA5-8916-D4EE395D627D"}]}]}],"references":[{"url":"http://www.securityfocus.com/bid/97382","source":"cret@cert.org","tags":["Third Party Advisory","VDB Entry"]},{"url":"http://www.securityweek.com/flaws-java-amf-libraries-allow-remote-code-execution","source":"cret@cert.org","tags":["Third Party Advisory"]},{"url":"https://codewhitesec.blogspot.com/2017/04/amf.html","source":"cret@cert.org","tags":["Exploit","Third Party Advisory"]},{"url":"https://www.kb.cert.org/vuls/id/307983","source":"cret@cert.org","tags":["Third Party Advisory","US Government Resource"]},{"url":"http://www.securityfocus.com/bid/97382","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory","VDB Entry"]},{"url":"http://www.securityweek.com/flaws-java-amf-libraries-allow-remote-code-execution","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"]},{"url":"https://codewhitesec.blogspot.com/2017/04/amf.html","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Exploit","Third Party Advisory"]},{"url":"https://www.kb.cert.org/vuls/id/307983","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory","US Government Resource"]}]}}]}