CVE-2020-5413

CVE-2020-5413 affects Spring Integration Kryo-based (de)serialization. When Kryo is configured with default options, unregistered classes can be resolved on demand, enabling deserialization gadgets to execute malicious code during data intake. The provided connected documents confirm the issue an...

CVE-2020-5413 Kryo Configuration Allows Code Execution with Unknown "Serialization Gadgets"

Spring Integration framework provides Kryo Codec implementations as an alternative for Java deserialization. When Kryo is configured with default options, all unregistered classes are resolved on demand. This leads to the "deserialization gadgets" exploit when provided data contains malicious cod...

Remote Code Execution (RCE)

Spring Integration Core is vulnerable to remote code execution RCE. It accepts all unregistered classes on demand when Kryo is configured using default options, allowing a malicious class to be deserialized...

CVE-2019-3772

Spring Integration spring-integration-xml and spring-integration-ws modules, versions 4.3.18, 5.0.10, 5.1.1, and older unsupported versions, were susceptible to XML External Entity Injection XXE when receiving XML data from untrusted sources...

Spring Integration Installed

Binary data pivotalsoftwarespringintegrationinstalled.nbin...

com.ahome-it:ahome-tooling-server-core (>=1.0.110-RELEASE <=1.1.3-RELEASE), com.ahome-it:ahome-tooling-server-hazelcast (>=1.0.111-RELEASE <=1.1.3-RELEASE) +19 more potentially affected by CVE-2019-3772 via org.springframework.integration:spring-integration-ws (>=1.0.1.RELEASE <=4.3.17.RELEASE)

org.springframework.integration:spring-integration-ws MAVEN version =1.0.1.RELEASE, =1.0.110-RELEASE, =1.0.111-RELEASE, =1.0.111-RELEASE, =1.1.0-RELEASE, =1.0.111-RELEASE, =1.0.111-RELEASE, =1.0.19-RELEASE, =1.2.2-RELEASE, =1.2.23-RELEASE, =1.1.0-RELEASE, =1.1.0-RELEASE, =1.2.1-RELEASE, =0.0.3,...

com.ahome-it:ahome-tooling-server-core (>=1.0.83-RC1 <=1.1.3-RELEASE), com.ahome-it:ahome-tooling-server-hazelcast (>=1.0.88-RC1 <=1.1.3-RELEASE) +336 more potentially affected by CVE-2019-3772 via org.springframework.integration:spring-integration-xml (>=1.0.1.RELEASE <=4.3.17.RELEASE)

org.springframework.integration:spring-integration-xml MAVEN version =1.0.1.RELEASE, =1.0.83-RC1, =1.0.88-RC1, =1.0.83-RC1, =1.1.0-RELEASE, =1.0.83-RC1, =1.0.83-RC1, =1.0.19-RELEASE, =1.2.2-RELEASE, =1.2.23-RELEASE, =1.1.0-RELEASE, =1.1.0-RELEASE, =1.2.1-RELEASE, =0.0.3, =1.0.1, =2.1.1 and more...

Improper Restriction of XML External Entity Reference in org.springframework.integration:spring-integration-ws and org.springframework.integration:spring-integration-xml

Spring Integration spring-integration-xml and spring-integration-ws modules, versions 4.3.18, 5.0.10, 5.1.1, and older unsupported versions, were susceptible to XML External Entity Injection XXE when receiving XML data from untrusted sources...

GHSA-WR5R-M8PC-85J9 Improper Restriction of XML External Entity Reference in org.springframework.integration:spring-integration-ws and org.springframework.integration:spring-integration-xml

Spring Integration spring-integration-xml and spring-integration-ws modules, versions 4.3.18, 5.0.10, 5.1.1, and older unsupported versions, were susceptible to XML External Entity Injection XXE when receiving XML data from untrusted sources...

CVE-2019-3772

Spring Integration spring-integration-xml and spring-integration-ws modules, versions 4.3.18, 5.0.10, 5.1.1, and older unsupported versions, were susceptible to XML External Entity Injection XXE when receiving XML data from untrusted sources...

CVE-2019-3772

Spring Integration spring-integration-xml and spring-integration-ws modules, versions 4.3.18, 5.0.10, 5.1.1, and older unsupported versions, were susceptible to XML External Entity Injection XXE when receiving XML data from untrusted sources...

CVE-2019-3772 Spring Integration XML External Entity Injection (XXE)

Spring Integration spring-integration-xml and spring-integration-ws modules, versions 4.3.18, 5.0.10, 5.1.1, and older unsupported versions, were susceptible to XML External Entity Injection XXE when receiving XML data from untrusted sources...

XML External Entity Injection (XXE)

Spring Integration is vulnerable to XML external entity injection XXE. The library does not filter malicious XML data input due to failing to disable the Document Type Definition External Entities by default...

Pivotal Spring Integration Zip Arbitrary File Write Vulnerability

Pivotal Spring Integration Zip is the United States Pivotal Software, Inc. of a compression/uncompression components used in Spring. An arbitrary file write vulnerability exists in Pivotal Spring Integration Zip. This allows an attacker to write arbitrary files to an affected system...

Arbitrary File Write via Archive Extraction (Zip Slip)

Overview org.springframework.integration:spring-integration-zip provides Zip un- compression support. Affected versions of the package are vulnerable to Arbitrary File Write via Archive Extraction AKA "Zip Slip". It is exploited using a specially crafted zip archive, that holds path traversal...

CVE-2018-1263

Addresses partial fix in CVE-2018-1261. Pivotal spring-integration-zip, versions prior to 1.0.2, exposes an arbitrary file write vulnerability, that can be achieved using a specially crafted zip archive affects other archives as well, bzip2, tar, xz, war, cpio, 7z, that holds path traversal...

CVE-2018-1263

CVE-2018-1263 affects spring-integration-zip (prior to 1.0.2 per initial, with later references noting fixes up to 1.0.4). The flaw is a path-traversal during archive extraction, where filenames are concatenated to the target directory, allowing an arbitrary file write outside the intended folder...

Pivotal Spring-integration-zip Arbitrary File Write Vulnerability

Pivotal Spring-integration-zip is a U.S. Pivotal Software, Inc. used in Spring in the compression/decompression components. An arbitrary file write vulnerability exists in Pivotal Spring-integration-zip versions prior to 1.0.1. The vulnerability can be exploited to write arbitrary files with a...

Arbitrary File Write

spring-integration-zip is vulnerable to arbitrary file write. The library is missing a path check during the unzipping process, allowing a malicious user to pass a file path outside the intended directory, which can then be used to write arbitrary files within a user application. This vulnerabili...

CVE-2018-1261

Spring-integration-zip versions prior to 1.0.1 exposes an arbitrary file write vulnerability, which can be achieved using a specially crafted zip archive affects other archives as well, bzip2, tar, xz, war, cpio, 7z that holds path traversal filenames. So when the filename gets concatenated to th...