82 matches found
This Week in Spring - December 19th, 2023
Hi, Spring fans! Welcome to another oh-so-festive edition of This Week in Spring! the Spring Authorization Server 1.2.1, 1.1.14, and 0.4.5, are now available Spring AMQP 3.1.1 is now available Spring Security 5.8.9, 6.1.6, 6.2.1 are now available Spring for Apache Kakfa 3.1.1 is now available...
CVE-2023-34050
In spring AMQP versions 1.0.0 to 2.4.16 and 3.0.0 to 3.0.9 , allowed list patterns for deserializable class names were added to Spring AMQP, allowing users to lock down deserialization of data in messages from untrusted sources; however by default, when no allowed list was provided, all classes...
Deserialization of untrusted data
In spring AMQP versions 1.0.0 to 2.4.16 and 3.0.0 to 3.0.9 , allowed list patterns for deserializable class names were added to Spring AMQP, allowing users to lock down deserialization of data in messages from untrusted sources; however by default, when no allowed list was provided, all classes...
CVE-2023-34050
CVE-2023-34050 affects Spring AMQP: deserialization vulnerability in SimpleMessageConverter/SerializerMessageConverter when no allowed-list patterns are configured. Versions affected: 1.0.0–2.4.16 and 3.0.0–3.0.9. If untrusted messages originate from a compromised source and write permissions to ...
CVE-2023-34050 Spring AMQP Deserialization Vulnerability
In spring AMQP versions 1.0.0 to 2.4.16 and 3.0.0 to 3.0.9 , allowed list patterns for deserializable class names were added to Spring AMQP, allowing users to lock down deserialization of data in messages from untrusted sources; however by default, when no allowed list was provided, all classes...
CVE-2023-34050 Spring AMQP Deserialization Vulnerability
In spring AMQP versions 1.0.0 to 2.4.16 and 3.0.0 to 3.0.9 , allowed list patterns for deserializable class names were added to Spring AMQP, allowing users to lock down deserialization of data in messages from untrusted sources; however by default, when no allowed list was provided, all classes...
CVE-2023-34050 Spring AMQP Deserialization Vulnerability
In spring AMQP versions 1.0.0 to 2.4.16 and 3.0.0 to 3.0.9 , allowed list patterns for deserializable class names were added to Spring AMQP, allowing users to lock down deserialization of data in messages from untrusted sources; however by default, when no allowed list was provided, all classes...
Spring AMQP Code Issue Vulnerability
Spring AMQP applies core Spring concepts to the development of AMQP-based messaging solutions. A security vulnerability exists in Spring AMQP versions 1.0.0 through 2.4.16 and 3.0.0 through 3.0.9, which stems from the addition of an Allowed List pattern for deserializable class names in Spring...
Security Bulletin: Vulnerabilities in amqp-client affect IBM Storage Protect Client, IBM Storage Protect for Virtual Environments, and IBM Storage Protect for Space Management (CVE-2018-11087)
Summary IBM Storage Protect Backup-Archive Client Linux x8664 only, IBM Storage Protect for Virtual Environments Data Protection for VMware on Windows and Linux x8664, and IBM Storage Protect for Space Management Linux x8664 only can be affected by a vulnerability in Pivotal Sprint-AMQP and...
br.com.itsme:commons (>=0.0.4-ALPHA <=0.0.5-ALPHA), cn.amossun:starter-event (>=1.2.0-RELEASE <=1.2.1-RELEASE) +216 more potentially affected by CVE-2021-22097 via org.springframework.amqp:spring-amqp (>=2.2.0.RELEASE <=2.2.18.RELEASE)
org.springframework.amqp:spring-amqp MAVEN version =2.2.0.RELEASE, =0.0.4-ALPHA, =1.2.0-RELEASE, =0.2.0, =0.2.0, =0.2.0, =0.0.9, =1.1, =0.1.0, =0.1.0, =0.2.0 - com.farao-community.farao:gridcapa-dichotomy-runner-app =0.1.0 - com.farao-community.farao:gridcapa-dichotomy-runner-spring-boot-starter...
cn.kduck:kduck-core (=1.1.0), cn.kduck:kduck-security (=1.1.0) +131 more potentially affected by CVE-2021-22097 via org.springframework.amqp:spring-amqp (>=2.3.0 <=2.3.10)
org.springframework.amqp:spring-amqp MAVEN version =2.3.0, =1.3.20, =1.0.0, =1.7, =0.0.1, =0.1.0, =0.0.1, =0.0.1, =0.2.1 - com.lwohvye:eladmin-system =2.6.14 and more Source cves: CVE-2021-22097 Source advisory: OSV:GHSA-FX7F-RJQJ-52PJ...
GHSA-FX7F-RJQJ-52PJ Deserialization of Untrusted Data in Spring AMQP
In Spring AMQP versions 2.2.0 - 2.2.18 and 2.3.0 - 2.3.10, the Spring AMQP Message object, in its toString method, will deserialize a body for a message with content type application/x-java-serialized-object. It is possible to construct a malicious java.util.Dictionary object that can cause 100%...
Deserialization of Untrusted Data in Spring AMQP
In Spring AMQP versions 2.2.0 - 2.2.18 and 2.3.0 - 2.3.10, the Spring AMQP Message object, in its toString method, will deserialize a body for a message with content type application/x-java-serialized-object. It is possible to construct a malicious java.util.Dictionary object that can cause 100%...
cc.voox:publisher (=0.1.2.GA), com.ahome-it:ahome-tooling-server-core (=1.1.0-RELEASE) +215 more potentially affected by CVE-2017-8045 via org.springframework.amqp:spring-amqp (>=1.0.0.RELEASE <=1.5.6.RELEASE)
org.springframework.amqp:spring-amqp MAVEN version =1.0.0.RELEASE, =1.0, =1.0, =0.9.0, =0.20.0, =1.31.1, =1.27.1, =1.31.0, =1.31.1, =1.31.1, =1.34.1 and more Source cves: CVE-2017-8045 Source advisory: OSV:GHSA-VQQG-XGV7-CF68...
br.jus.stf.digital:core (>=0.2.0 <=2.3.1), cn.springcloud.gray:spring-cloud-gray-plugin-event-stream (>=A.1.1.0 <=A.2.0.0.RC1) +112 more potentially affected by CVE-2017-8045 via org.springframework.amqp:spring-amqp (>=1.7.0.RELEASE <=1.7.3.RELEASE)
org.springframework.amqp:spring-amqp MAVEN version =1.7.0.RELEASE, =0.2.0, =A.1.1.0, =A.1.1.0, =1.1.0, =1.1.0, =v1.0.0, =0.8, =0.8, =0.9 - com.societegenerale:rabbitmq-advanced-core =1.0.1.RELEASE - com.societegenerale:rabbitmq-advanced-parent =1.0.1.RELEASE -...
com.ahome-it:ahome-tooling-server-core (>=1.1.1-RELEASE <=1.1.3-RELEASE), com.ahome-it:ahome-tooling-server-hazelcast (>=1.1.1-RELEASE <=1.1.3-RELEASE) +8 more potentially affected by CVE-2017-8045 via org.springframework.amqp:spring-amqp (>=1.6.0.RELEASE <=1.6.10.RELEASE)
org.springframework.amqp:spring-amqp MAVEN version =1.6.0.RELEASE, =1.1.1-RELEASE, =1.1.1-RELEASE, =1.1.1-RELEASE, =1.1.1-RELEASE, =1.1.1-RELEASE, =5.2.0-RC1, =1.6.0.RELEASE, =1.6.0.RELEASE, =4.3.0.RELEASE, =4.3.11.RELEASE Source cves: CVE-2017-8045 Source advisory: OSV:GHSA-VQQG-XGV7-CF68...
Deserialization of Untrusted Data in Spring AMQP
In Pivotal Spring AMQP versions prior to 1.7.4, 1.6.11, and 1.5.7, an org.springframework.amqp.core.Message may be unsafely deserialized when being converted into a string. A malicious payload could be crafted to exploit this and enable a remote code execution attack...
cc.voox:publisher (=0.1.2.GA), com.bluejeans:ipc-channel-utils (>=1.0 <=1.0.1) +141 more potentially affected by CVE-2016-2173 via org.springframework.amqp:spring-amqp (>=1.0.0.RELEASE <=1.5.4.RELEASE)
org.springframework.amqp:spring-amqp MAVEN version =1.0.0.RELEASE, =1.0, =1.0, =0.9.0, =0.20.0, =1.31.1, =1.27.1, =1.31.0, =1.31.1, =1.31.1, =1.31.1, =1.31.1, =1.31.1, =1.31.1, =1.34.1 - com.bq.oss.corbel:evci =1.20.0 and more Source cves: CVE-2016-2173 Source advisory: OSV:GHSA-HRP3-8P5W-27GV...
GHSA-HRP3-8P5W-27GV Improper Input Validation in Spring AMQP
org.springframework.core.serializer.DefaultDeserializer in Spring AMQP before 1.5.5 allows remote attackers to execute arbitrary code...
Improper Input Validation in Spring AMQP
org.springframework.core.serializer.DefaultDeserializer in Spring AMQP before 1.5.5 allows remote attackers to execute arbitrary code...