CVE-2023-34050

CWE-502 — Deserialization of Untrusted Data4 documents4 sources

Severity

4.3MEDIUM

EPSS

41.1%

top 2.62%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Spring Spring Amqp Vmware Spring Advanced Message Queuing Protocol

Timeline

PublishedOct 19

Description

In spring AMQP versions 1.0.0 to 2.4.16 and 3.0.0 to 3.0.9 , allowed list patterns for deserializable class names were added to Spring AMQP, allowing users to lock down deserialization of data in messages from untrusted sources; however by default, when no allowed list was provided, all classes could be deserialized. Specifically, an application is vulnerable if * the SimpleMessageConverter or SerializerMessageConverter is used * the user does not configure allowed list patterns * untruste…

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:HExploitability: 0.7 | Impact: 4.2

Affected Packages2 packages

▶CVEListV5spring/spring_amqp1.0.0 — 2.4.17+1

▶NVDvmware/spring_advanced_message_queuing_protocol1.0.0 — 2.4.16+1

🔴Vulnerability Details

CVEList

Spring AMQP Deserialization Vulnerability↗2023-10-19

▶

GHSA

GHSA-24f5-5fmf-pwmc: In spring AMQP versions 1↗2023-10-19

▶

📋Vendor Advisories

Red Hat

springframework-amqp: Deserialization Vulnerability↗2023-10-19

▶