CVSS: 5.0EPSS: 0%CPEs: 2EXPL: 1CVE-2023-34050 – Spring AMQP Deserialization Vulnerability
https://notcve.org/view.php?id=CVE-2023-34050
19 Oct 2023 — In spring AMQP versions 1.0.0 to 2.4.16 and 3.0.0 to 3.0.9 , allowed list patterns for deserializable class names were added to Spring AMQP, allowing users to lock down deserialization of data in messages from untrusted sources; however by default, when no allowed list was provided, all classes could be deserialized. Specifically, an application is vulnerable if * the SimpleMessageConverter or SerializerMessageConverter is used * the user does not configure allowed list patterns * untrusted message originat... • https://github.com/X1r0z/spring-amqp-deserialization • CWE-502: Deserialization of Untrusted Data •
CVSS: 5.9EPSS: 0%CPEs: 4EXPL: 0CVE-2018-11087 – TLS validation error
https://notcve.org/view.php?id=CVE-2018-11087
14 Sep 2018 — Pivotal Spring AMQP, 1.x versions prior to 1.7.10 and 2.x versions prior to 2.0.6, expose a man-in-the-middle vulnerability due to lack of hostname validation. A malicious user that has the ability to intercept traffic would be able to view data in transit. Pivotal Spring AMQP, en versiones 1.x anteriores a la 1.7.10 y versiones 2.x anteriores a la 2.0.6, expone una vulnerabilidad Man-in-the-Middle (MitM) debido a la falta de validación de nombres de host. Un usuario malicioso que pueda interceptar tráfico ... • https://pivotal.io/security/cve-2018-11087 • CWE-295: Improper Certificate Validation •
CVSS: 9.8EPSS: 2%CPEs: 27EXPL: 0CVE-2017-8045
https://notcve.org/view.php?id=CVE-2017-8045
27 Nov 2017 — In Pivotal Spring AMQP versions prior to 1.7.4, 1.6.11, and 1.5.7, an org.springframework.amqp.core.Message may be unsafely deserialized when being converted into a string. A malicious payload could be crafted to exploit this and enable a remote code execution attack. En Pivotal Spring AMQP, en versiones anteriores a la 1.7.4, 1.6.11 y 1.5.7, org.springframework.amqp.core.Message podría deserializarse de forma insegura al convertirse en cadena. Una carga útil maliciosa podría manipularse para explotar esto ... • http://www.securityfocus.com/bid/100936 • CWE-502: Deserialization of Untrusted Data •