5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H
7.3 High
AI Score
Confidence
Low
0.0004 Low
EPSS
Percentile
15.5%
In spring AMQP versions 1.0.0 to
2.4.16 and 3.0.0 to 3.0.9 , allowed list patterns for deserializable class
names were added to Spring AMQP, allowing users to lock down deserialization of
data in messages from untrusted sources; however by default, when no allowed
list was provided, all classes could be deserialized.
Specifically, an application is
vulnerable if
the
SimpleMessageConverter or SerializerMessageConverter is used
the user
does not configure allowed list patterns
untrusted
message originators gain permissions to write messages to the RabbitMQ
broker to send malicious content
CPE | Name | Operator | Version |
---|---|---|---|
spring-amqp | eq | 3.0.2 | |
spring-amqp | eq | 3.0.1 | |
spring-amqp | eq | 3.0.4 | |
spring-amqp | eq | 3.0.6 | |
spring-amqp | eq | 3.0.7 | |
spring-amqp | eq | 3.0.8 | |
spring-amqp | eq | 3.0.0 | |
spring-amqp | eq | 3.0.3 | |
spring-amqp | eq | 3.0.5 |
5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H
7.3 High
AI Score
Confidence
Low
0.0004 Low
EPSS
Percentile
15.5%