CVE-2017-5878

The AMF unmarshallers in Red5 Media Server before 1.0.8 do not restrict the classes for which it performs deserialization, which allows remote attackers to execute arbitrary code via crafted serialized Java data.

Published: Jun 8, 2017
Updated: Apr 13, 2023
CVE: CVE-2017-5878
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: High
Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

CWEs:

CWE-502

OWASP TOP 10:

A8 - Insecure Deserialization

Affected Software
References

Software	From	Fixed in
red5 / media_server	1.0.2	1.0.2.x
red5 / media_server	1.0.2-milestone1	1.0.2-milestone1.x
red5 / media_server	1.0.3	1.0.3.x
red5 / media_server	1.0.4	1.0.4.x
red5 / media_server	1.0.5	1.0.5.x
red5 / media_server	1.0.6	1.0.6.x
red5 / media_server	1.0.7	1.0.7.x
red5 / media_server	1.0.7-milestone1	1.0.7-milestone1.x
red5 / media_server	1.0.7-milestone2	1.0.7-milestone2.x
red5 / media_server	1.0.7-milestone3	1.0.7-milestone3.x
red5 / media_server	1.0.7-milestone4	1.0.7-milestone4.x
red5 / media_server	1.0.7-milestone5	1.0.7-milestone5.x
red5 / media_server	1.0.7-milestone6	1.0.7-milestone6.x
red5 / media_server	1.0.7-milestone7	1.0.7-milestone7.x
red5 / media_server	1.0.8-milestone1	1.0.8-milestone1.x
red5 / media_server	1.0.8-milestone10	1.0.8-milestone10.x
red5 / media_server	1.0.8-milestone11	1.0.8-milestone11.x
red5 / media_server	1.0.8-milestone12	1.0.8-milestone12.x
red5 / media_server	1.0.8-milestone13	1.0.8-milestone13.x
red5 / media_server	1.0.8-milestone2	1.0.8-milestone2.x
red5 / media_server	1.0.8-milestone3	1.0.8-milestone3.x
red5 / media_server	1.0.8-milestone4	1.0.8-milestone4.x
red5 / media_server	1.0.8-milestone5	1.0.8-milestone5.x
red5 / media_server	1.0.8-milestone6	1.0.8-milestone6.x
red5 / media_server	1.0.8-milestone7	1.0.8-milestone7.x
red5 / media_server	1.0.8-milestone8	1.0.8-milestone8.x
red5 / media_server	1.0.8-milestone9	1.0.8-milestone9.x

Vulnerability Database

289,784

CVE-2017-5878