CVE-2020-5413

CWE-502Deserialization of Untrusted Data7 documents5 sources
Severity
9.8CRITICAL
EPSS
2.2%
top 15.66%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
9
Spring BY Vmware Spring IntegrationOracle Retail Customer Management AND Segmentation FoundationVmware Spring Integration+6 more
Timeline
PublishedJul 31
Latest updateOct 15

Description

Spring Integration framework provides Kryo Codec implementations as an alternative for Java (de)serialization. When Kryo is configured with default options, all unregistered classes are resolved on demand. This leads to the "deserialization gadgets" exploit when provided data contains malicious code for execution during deserialization. In order to protect against this type of attack, Kryo can be configured to require a set of trusted classes for (de)serialization. Spring Integration should be p

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages10 packages

CVEListV5spring_by_vmware/spring_integration4.3v4.3.23.RELEASE+3
NVDvmware/spring_integration4.3.04.3.22+3
NVDoracle/flexcube_private_banking12.0.0, 12.1.0+1

Patches

Patch: www.oracle.comPatch: www.oracle.comPatch: www.oracle.com

🔴Vulnerability Details

3
GHSA
Code execution in Spring Integration2020-08-05
OSV
Code execution in Spring Integration2020-08-05
CVEList
Kryo Configuration Allows Code Execution with Unknown "Serialization Gadgets"2020-07-31

📋Vendor Advisories

3
Oracle
Oracle Oracle Financial Services Applications Risk Matrix: Loans (Spring Integration) — CVE-2020-54132021-10-15
Oracle
Oracle Oracle Financial Services Applications Risk Matrix: Financial Planning (Spring Integration) — CVE-2020-54132021-07-15
Oracle
Oracle Oracle Financial Services Applications Risk Matrix: Order Management (Spring Integration) — CVE-2020-54132021-04-15