CVE-2023-34050

Spring AMQP Deserialization Vulnerability

Severity Score

4.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In spring AMQP versions 1.0.0 to
2.4.16 and 3.0.0 to 3.0.9 , allowed list patterns for deserializable class
names were added to Spring AMQP, allowing users to lock down deserialization of
data in messages from untrusted sources; however by default, when no allowed
list was provided, all classes could be deserialized.

Specifically, an application is
vulnerable if

* the
SimpleMessageConverter or SerializerMessageConverter is used

* the user
does not configure allowed list patterns

* untrusted
message originators gain permissions to write messages to the RabbitMQ
broker to send malicious content

En las versiones Spring AMQP 1.0.0 a 2.4.16 y 3.0.0 a 3.0.9, se agregaron a Spring AMQP patrones de listas permitidas para nombres de clases deserializables, lo que permite a los usuarios bloquear la deserialización de datos en mensajes de fuentes no confiables; sin embargo, de forma predeterminada, cuando no se proporcionaba una lista permitida, se podían deserializar todas las clases. Específicamente, una aplicación es vulnerable si * se utiliza SimpleMessageConverter o SerializerMessageConverter * el usuario no configura los patrones de lista permitidos * los originadores de mensajes que no son de confianza obtienen permisos para escribir mensajes al agente RabbitMQ para enviar contenido malicioso

A flaw was found in Spring Framework AMQP. An allowed list exists in Spring AMQP, but when no allowed list is provided, all classes could be deserialized, allowing a malicious user to send harmful content to the broker.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

High

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2023-05-25 CVE Reserved
2023-10-19 CVE Published
2024-09-12 CVE Updated
2024-10-25 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-502: Deserialization of Untrusted Data

CAPEC

References (3)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://spring.io/security/cve-2023-34050	2023-10-25
https://access.redhat.com/security/cve/CVE-2023-34050	2023-12-07
https://bugzilla.redhat.com/show_bug.cgi?id=2246065	2023-12-07

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Vmware Search vendor "Vmware"		Spring Advanced Message Queuing Protocol Search vendor "Vmware" for product "Spring Advanced Message Queuing Protocol"				>= 1.0.0 < 2.4.16 Search vendor "Vmware" for product "Spring Advanced Message Queuing Protocol" and version " >= 1.0.0 < 2.4.16"		-		Affected
Vmware Search vendor "Vmware"		Spring Advanced Message Queuing Protocol Search vendor "Vmware" for product "Spring Advanced Message Queuing Protocol"				>= 3.0.0 < 3.0.9 Search vendor "Vmware" for product "Spring Advanced Message Queuing Protocol" and version " >= 3.0.0 < 3.0.9"		-		Affected