1 results (0.003 seconds)
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 4
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 4CVE-2023-34040 – Java Deserialization vulnerability in Spring-Kafka When Improperly Configured
https://notcve.org/view.php?id=CVE-2023-34040
24 Aug 2023 — In Spring for Apache Kafka 3.0.9 and earlier and versions 2.9.10 and earlier, a possible deserialization attack vector existed, but only if unusual configuration was applied. An attacker would have to construct a malicious serialized object in one of the deserialization exception record headers. Specifically, an application is vulnerable when all of the following are true: * The user does not configure an ErrorHandlingDeserializer for the key and/or value of the record * The user explicitly sets container p... • https://github.com/Contrast-Security-OSS/Spring-Kafka-POC-CVE-2023-34040 • CWE-502: Deserialization of Untrusted Data •