Arbitrary Code Execution via Unrestricted Class Deserialization in Red5 Media Server

Arbitrary Code Execution via Unrestricted Class Deserialization in Red5 Media Server

CVE-2017-5878 · CRITICAL Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

The AMF unmarshallers in Red5 Media Server before 1.0.8 do not restrict the classes for which it performs deserialization, which allows remote attackers to execute arbitrary code via crafted serialized Java data.

Learn more about our Cis Benchmark Audit For Server Software.