CVE-2020-5413 Kryo Configuration Allows Code Execution with Unknown "Serialization Gadgets"

🗓️ 31 Jul 2020 19:40:19Reported by pivotalType

CVE-2020-5413 Kryo Configuration Allows Code Execution with Unknown "Serialization Gadgets" Spring Integration framework provides Kryo Codec implementations as an alternative for Java (de)serialization. When Kryo is configured with default options, all unregistered classes are resolved on demand. This leads to the "deserialization gadgets" exploit when provided data contains malicious code for execution during deserialization. In order to protect against this type of attack, Kryo can be configured to require a set of trusted classes for (de)serialization

Reporter	Title	Published	Views	Family All 22
BDU FSTEC	The vulnerability of the Kryo Codec component in the software platform for integrating corporate applications in Spring Integration allows a hacker to execute arbitrary code.	27 Oct 202000:00	–	bdu_fstec
CNVD	Pivotal Software Spring Integration Code Issue Vulnerability	7 Aug 202000:00	–	cnvd
CVE	CVE-2020-5413	31 Jul 202019:40	–	cve
EUVD	EUVD-2020-0604	7 Oct 202500:30	–	euvd
IBM Security Bulletins	Security Bulletin: IBM Data Risk Manager is affected by multiple vulnerabilities	2 Feb 202105:06	–	ibm
Github Security Blog	Code execution in Spring Integration	5 Aug 202014:53	–	github
NCSC	Vulnerabilities fixed in Oracle Financial Services Applications	21 Apr 202100:00	–	ncsc
NCSC	Vulnerabilities fixed in Oracle Financial Services Applications	20 Oct 202100:00	–	ncsc
NCSC	Vulnerabilities fixed in Oracle Communications	20 Apr 202200:00	–	ncsc
NVD	CVE-2020-5413	31 Jul 202020:15	–	nvd

[
  {
    "product": "Spring Integration",
    "vendor": "Spring by VMware",
    "versions": [
      {
        "lessThan": "v4.3.23.RELEASE",
        "status": "affected",
        "version": "4.3",
        "versionType": "custom"
      },
      {
        "lessThan": "v5.1.12.RELEASE",
        "status": "affected",
        "version": "5.1",
        "versionType": "custom"
      },
      {
        "lessThan": "v5.2.8.RELEASE",
        "status": "affected",
        "version": "5.2",
        "versionType": "custom"
      },
      {
        "lessThan": "v5.3.2.RELEASE",
        "status": "affected",
        "version": "5.3",
        "versionType": "custom"
      }
    ]
  }
]

Source	Link
oracle	www.oracle.com//security-alerts/cpujul2021.html
oracle	www.oracle.com/security-alerts/cpuApr2021.html
oracle	www.oracle.com/security-alerts/cpuapr2022.html
tanzu	www.tanzu.vmware.com/security/cve-2020-5413
oracle	www.oracle.com/security-alerts/cpuoct2021.html

19 Apr 2022 23:23Current

9.5High risk

Vulners AI Score9.5

EPSS0.04409

CWE-502