Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTg2cXItOXZxYy1wZ2M2

Critical EPSS: 0.02178% (0.83502 Percentile) EPSS:
Permalink JSON

Code execution in Spring Integration

Affected Packages Affected Versions Fixed Versions
maven:org.springframework.integration:spring-integration-core >= 5.2.0, < 5.2.8, >= 5.1.0, < 5.1.12, >= 5.3.0, < 5.3.2, >= 4.3.0, < 4.3.23 5.2.8, 5.1.12, 5.3.2, 4.3.23
712 Dependent packages
6,277 Dependent repositories

Affected Version Ranges

All affected versions

4.3.10.RELEASE, 4.3.11.RELEASE, 4.3.12.RELEASE, 4.3.13.RELEASE, 4.3.14.RELEASE, 4.3.15.RELEASE, 4.3.16.RELEASE, 4.3.17.RELEASE, 4.3.18.RELEASE, 4.3.19.RELEASE, 4.3.20.RELEASE, 4.3.21.RELEASE, 4.3.22.RELEASE, 4.3.23.RELEASE, 4.3.24.RELEASE, 5.1.10.RELEASE, 5.1.11.RELEASE, 5.1.12.RELEASE, 5.1.13.RELEASE, 5.2.10.RELEASE, 5.2.11.RELEASE, 5.3.10.RELEASE

All unaffected versions

4.2.11.RELEASE, 4.2.12.RELEASE, 4.2.13.RELEASE, 5.0.10.RELEASE, 5.0.11.RELEASE, 5.0.12.RELEASE, 5.0.13.RELEASE, 5.0.14.RELEASE, 5.4.0, 5.4.1, 5.4.2, 5.4.3, 5.4.4, 5.4.5, 5.4.6, 5.4.7, 5.4.8, 5.4.9, 5.4.10, 5.4.11, 5.4.12, 5.4.13, 5.5.0, 5.5.1, 5.5.2, 5.5.3, 5.5.4, 5.5.5, 5.5.6, 5.5.7, 5.5.8, 5.5.9, 5.5.10, 5.5.11, 5.5.12, 5.5.13, 5.5.14, 5.5.15, 5.5.16, 5.5.17, 5.5.18, 5.5.19, 5.5.20, 6.0.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.1.0, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.5.0, 6.5.1, 6.5.2, 6.5.3

Spring Integration framework provides Kryo Codec implementations as an alternative for Java (de)serialization. When Kryo is configured with default options, all unregistered classes are resolved on demand. This leads to the "deserialization gadgets" exploit when provided data contains malicious code for execution during deserialization. In order to protect against this type of attack, Kryo can be configured to require a set of trusted classes for (de)serialization. Spring Integration should be proactive against blocking unknown "deserialization gadgets" when configuring Kryo in code.

References:

Identifiers

GHSA-86qr-9vqc-pgc6

CVE-2020-5413

Risk

Severity

Critical

EPSS

EPSS Percentage: 0.02178

EPSS Percentile: 0.83502

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/spring-projects/spring-integration

Date and time

Published

about 5 years ago

Updated

almost 3 years ago

API

JSON