Actually, with BlazeDS 4.01 blazeds-core-4.0.0.14931.jar there was only 1 vulnerable file and 1 High and 1 medium vulnerability.
CVE-2011-2092 suppress Severity: High CVSS Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C) CWE: CWE-20 Improper Input Validation Adobe LiveCycle Data Services 3.1 and earlier, LiveCycle 9.0.0.2 and earlier, and BlazeDS 4.0.1 and earlier do not properly restrict creation of classes during deserialization of (1) AMF and (2) AMFX data, which allows attackers to have an unspecified impact via unknown vectors, related to a "deserialization vulnerability." •CONFIRM - http://www.adobe.com/support/security/bulletins/apsb11-15.html •SECTRACK - 1025656 •SECTRACK - 1025657 Vulnerable Software & Versions: (show all) •cpe:/a:adobe:blazeds:4.0.1 and all previous versions https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2092 CVE-2011-2093 suppress Severity: Medium CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) CWE: CWE-20 Improper Input Validation Adobe LiveCycle Data Services 3.1 and earlier, LiveCycle 9.0.0.2 and earlier, and BlazeDS 4.0.1 and earlier do not properly handle object graphs, which allows attackers to cause a denial of service via unspecified vectors, related to a "complex object graph vulnerability." •BID - 48267 •CONFIRM - http://www.adobe.com/support/security/bulletins/apsb11-15.html •SECTRACK - 1025656 •SECTRACK - 1025657 •XF - livecycle-graph-object-dos(68026) Vulnerable Software & Versions: (show all) •cpe:/a:adobe:blazeds:4.0.1 and all previous versions •... Could you please comment on it? Looks like we might remain on that one if it not that severe. Please advise. TIA, Oleg. -- View this message in context: http://apache-flex-users.2333346.n4.nabble.com/Security-vulnerabilities-in-BlazeDS-4-7-2-tp14175p14177.html Sent from the Apache Flex Users mailing list archive at Nabble.com.
