CVSS: 5.0EPSS: 40%CPEs: 2EXPL: 1CVE-2023-34050 – Spring AMQP Deserialization Vulnerability
https://notcve.org/view.php?id=CVE-2023-34050
19 Oct 2023 — In spring AMQP versions 1.0.0 to 2.4.16 and 3.0.0 to 3.0.9 , allowed list patterns for deserializable class names were added to Spring AMQP, allowing users to lock down deserialization of data in messages from untrusted sources; however by default, when no allowed list was provided, all classes could be deserialized. Specifically, an application is vulnerable if * the SimpleMessageConverter or SerializerMessageConverter is used * the user does not configure allowed list patterns * untrusted message originat... • https://github.com/X1r0z/spring-amqp-deserialization • CWE-502: Deserialization of Untrusted Data •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-22095
https://notcve.org/view.php?id=CVE-2021-22095
30 Nov 2021 — In Spring AMQP versions 2.2.0 - 2.2.19 and 2.3.0 - 2.3.11, the Spring AMQP Message object, in its toString() method, will create a new String object from the message body, regardless of its size. This can cause an OOM Error with a large message En Spring AMQP versiones 2.2.0 - 2.2.19 y 2.3.0 - 2.3.11, el objeto Spring AMQP Message, en su método toString(), crea un nuevo objeto String a partir del cuerpo del mensaje, independientemente de su tamaño. Esto puede causar un error OOM con un mensaje grande • https://tanzu.vmware.com/security/cve-2021-22097 • CWE-502: Deserialization of Untrusted Data •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2021-22097
https://notcve.org/view.php?id=CVE-2021-22097
28 Oct 2021 — In Spring AMQP versions 2.2.0 - 2.2.18 and 2.3.0 - 2.3.10, the Spring AMQP Message object, in its toString() method, will deserialize a body for a message with content type application/x-java-serialized-object. It is possible to construct a malicious java.util.Dictionary object that can cause 100% CPU usage in the application if the toString() method is called. En Spring AMQP versiones 2.2.0 - 2.2.18 y 2.3.0 - 2.3.10, el objeto Spring AMQP Message, en su método toString(), deserializará un cuerpo para un me... • https://tanzu.vmware.com/security/cve-2021-22097 • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 21%CPEs: 4EXPL: 1CVE-2016-2173
https://notcve.org/view.php?id=CVE-2016-2173
21 Apr 2017 — org.springframework.core.serializer.DefaultDeserializer in Spring AMQP before 1.5.5 allows remote attackers to execute arbitrary code. org.springframework.core.serializer.DefaultDeserializer en Spring AMQP en versiones anteriores a 1.5.5 a los atacantes remotos ejecutar el código arbitrario. • https://github.com/HaToan/CVE-2016-2173 • CWE-20: Improper Input Validation •