Lucene search
K

82 matches found

Spring Security Advisories
Spring Security Advisories
added 2023/12/19 12:0 a.m.9 views

This Week in Spring - December 19th, 2023

Hi, Spring fans! Welcome to another oh-so-festive edition of This Week in Spring! the Spring Authorization Server 1.2.1, 1.1.14, and 0.4.5, are now available Spring AMQP 3.1.1 is now available Spring Security 5.8.9, 6.1.6, 6.2.1 are now available Spring for Apache Kakfa 3.1.1 is now available...

7.1AI score
Exploits0
NVD
NVD
added 2023/10/19 8:15 a.m.18 views

CVE-2023-34050

In spring AMQP versions 1.0.0 to 2.4.16 and 3.0.0 to 3.0.9 , allowed list patterns for deserializable class names were added to Spring AMQP, allowing users to lock down deserialization of data in messages from untrusted sources; however by default, when no allowed list was provided, all classes...

5CVSS5.2AI score0.01537EPSS
Exploits0References1
Prion
Prion
added 2023/10/19 8:15 a.m.27 views

Deserialization of untrusted data

In spring AMQP versions 1.0.0 to 2.4.16 and 3.0.0 to 3.0.9 , allowed list patterns for deserializable class names were added to Spring AMQP, allowing users to lock down deserialization of data in messages from untrusted sources; however by default, when no allowed list was provided, all classes...

4CVSS4.8AI score0.01537EPSS
Exploits0References1Affected Software1
CVE
CVE
added 2023/10/19 7:11 a.m.112 views

CVE-2023-34050

CVE-2023-34050 affects Spring AMQP: deserialization vulnerability in SimpleMessageConverter/SerializerMessageConverter when no allowed-list patterns are configured. Versions affected: 1.0.0–2.4.16 and 3.0.0–3.0.9. If untrusted messages originate from a compromised source and write permissions to ...

5CVSS5.2AI score0.01537EPSS
Exploits0References1Affected Software1
Vulnrichment
Vulnrichment
added 2023/10/19 7:11 a.m.19 views

CVE-2023-34050 Spring AMQP Deserialization Vulnerability

In spring AMQP versions 1.0.0 to 2.4.16 and 3.0.0 to 3.0.9 , allowed list patterns for deserializable class names were added to Spring AMQP, allowing users to lock down deserialization of data in messages from untrusted sources; however by default, when no allowed list was provided, all classes...

5CVSS6.9AI score0.01537EPSS
Exploits0References1
Cvelist
Cvelist
added 2023/10/19 7:11 a.m.22 views

CVE-2023-34050 Spring AMQP Deserialization Vulnerability

In spring AMQP versions 1.0.0 to 2.4.16 and 3.0.0 to 3.0.9 , allowed list patterns for deserializable class names were added to Spring AMQP, allowing users to lock down deserialization of data in messages from untrusted sources; however by default, when no allowed list was provided, all classes...

5CVSS5.6AI score0.01537EPSS
Exploits0References1
OSV
OSV
added 2023/10/19 7:11 a.m.36 views

CVE-2023-34050 Spring AMQP Deserialization Vulnerability

In spring AMQP versions 1.0.0 to 2.4.16 and 3.0.0 to 3.0.9 , allowed list patterns for deserializable class names were added to Spring AMQP, allowing users to lock down deserialization of data in messages from untrusted sources; however by default, when no allowed list was provided, all classes...

5CVSS6.2AI score0.01537EPSS
Exploits0References3
CNNVD
CNNVD
added 2023/10/19 12:0 a.m.4 views

Spring AMQP Code Issue Vulnerability

Spring AMQP applies core Spring concepts to the development of AMQP-based messaging solutions. A security vulnerability exists in Spring AMQP versions 1.0.0 through 2.4.16 and 3.0.0 through 3.0.9, which stems from the addition of an Allowed List pattern for deserializable class names in Spring...

5CVSS6.7AI score0.01537EPSS
Exploits0References4
IBM Security Bulletins
IBM Security Bulletins
added 2023/10/04 1:9 p.m.47 views

Security Bulletin: Vulnerabilities in amqp-client affect IBM Storage Protect Client, IBM Storage Protect for Virtual Environments, and IBM Storage Protect for Space Management (CVE-2018-11087)

Summary IBM Storage Protect Backup-Archive Client Linux x8664 only, IBM Storage Protect for Virtual Environments Data Protection for VMware on Windows and Linux x8664, and IBM Storage Protect for Space Management Linux x8664 only can be affected by a vulnerability in Pivotal Sprint-AMQP and...

5.9CVSS5.3AI score0.01268EPSS
Exploits0Affected Software3
vulnersOsv
vulnersOsv
added 2022/05/24 7:19 p.m.4 views

br.com.itsme:commons (>=0.0.4-ALPHA <=0.0.5-ALPHA), cn.amossun:starter-event (>=1.2.0-RELEASE <=1.2.1-RELEASE) +216 more potentially affected by CVE-2021-22097 via org.springframework.amqp:spring-amqp (>=2.2.0.RELEASE <=2.2.18.RELEASE)

org.springframework.amqp:spring-amqp MAVEN version =2.2.0.RELEASE, =0.0.4-ALPHA, =1.2.0-RELEASE, =0.2.0, =0.2.0, =0.2.0, =0.0.9, =1.1, =0.1.0, =0.1.0, =0.2.0 - com.farao-community.farao:gridcapa-dichotomy-runner-app =0.1.0 - com.farao-community.farao:gridcapa-dichotomy-runner-spring-boot-starter...

6.8CVSS6.5AI score0.01037EPSS
Exploits0
vulnersOsv
vulnersOsv
added 2022/05/24 7:19 p.m.5 views

cn.kduck:kduck-core (=1.1.0), cn.kduck:kduck-security (=1.1.0) +131 more potentially affected by CVE-2021-22097 via org.springframework.amqp:spring-amqp (>=2.3.0 <=2.3.10)

org.springframework.amqp:spring-amqp MAVEN version =2.3.0, =1.3.20, =1.0.0, =1.7, =0.0.1, =0.1.0, =0.0.1, =0.0.1, =0.2.1 - com.lwohvye:eladmin-system =2.6.14 and more Source cves: CVE-2021-22097 Source advisory: OSV:GHSA-FX7F-RJQJ-52PJ...

6.8CVSS6.5AI score0.01037EPSS
Exploits0
OSV
OSV
added 2022/05/24 7:19 p.m.9 views

GHSA-FX7F-RJQJ-52PJ Deserialization of Untrusted Data in Spring AMQP

In Spring AMQP versions 2.2.0 - 2.2.18 and 2.3.0 - 2.3.10, the Spring AMQP Message object, in its toString method, will deserialize a body for a message with content type application/x-java-serialized-object. It is possible to construct a malicious java.util.Dictionary object that can cause 100%...

6.5CVSS5.9AI score0.01037EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2022/05/24 7:19 p.m.26 views

Deserialization of Untrusted Data in Spring AMQP

In Spring AMQP versions 2.2.0 - 2.2.18 and 2.3.0 - 2.3.10, the Spring AMQP Message object, in its toString method, will deserialize a body for a message with content type application/x-java-serialized-object. It is possible to construct a malicious java.util.Dictionary object that can cause 100%...

6.8CVSS3.8AI score0.01037EPSS
Exploits0References3Affected Software1
vulnersOsv
vulnersOsv
added 2022/05/17 12:16 a.m.12 views

cc.voox:publisher (=0.1.2.GA), com.ahome-it:ahome-tooling-server-core (=1.1.0-RELEASE) +215 more potentially affected by CVE-2017-8045 via org.springframework.amqp:spring-amqp (>=1.0.0.RELEASE <=1.5.6.RELEASE)

org.springframework.amqp:spring-amqp MAVEN version =1.0.0.RELEASE, =1.0, =1.0, =0.9.0, =0.20.0, =1.31.1, =1.27.1, =1.31.0, =1.31.1, =1.31.1, =1.34.1 and more Source cves: CVE-2017-8045 Source advisory: OSV:GHSA-VQQG-XGV7-CF68...

9.8CVSS7.2AI score0.03554EPSS
Exploits2
vulnersOsv
vulnersOsv
added 2022/05/17 12:16 a.m.9 views

br.jus.stf.digital:core (>=0.2.0 <=2.3.1), cn.springcloud.gray:spring-cloud-gray-plugin-event-stream (>=A.1.1.0 <=A.2.0.0.RC1) +112 more potentially affected by CVE-2017-8045 via org.springframework.amqp:spring-amqp (>=1.7.0.RELEASE <=1.7.3.RELEASE)

org.springframework.amqp:spring-amqp MAVEN version =1.7.0.RELEASE, =0.2.0, =A.1.1.0, =A.1.1.0, =1.1.0, =1.1.0, =v1.0.0, =0.8, =0.8, =0.9 - com.societegenerale:rabbitmq-advanced-core =1.0.1.RELEASE - com.societegenerale:rabbitmq-advanced-parent =1.0.1.RELEASE -...

9.8CVSS7.2AI score0.03554EPSS
Exploits2
vulnersOsv
vulnersOsv
added 2022/05/17 12:16 a.m.6 views

com.ahome-it:ahome-tooling-server-core (>=1.1.1-RELEASE <=1.1.3-RELEASE), com.ahome-it:ahome-tooling-server-hazelcast (>=1.1.1-RELEASE <=1.1.3-RELEASE) +8 more potentially affected by CVE-2017-8045 via org.springframework.amqp:spring-amqp (>=1.6.0.RELEASE <=1.6.10.RELEASE)

org.springframework.amqp:spring-amqp MAVEN version =1.6.0.RELEASE, =1.1.1-RELEASE, =1.1.1-RELEASE, =1.1.1-RELEASE, =1.1.1-RELEASE, =1.1.1-RELEASE, =5.2.0-RC1, =1.6.0.RELEASE, =1.6.0.RELEASE, =4.3.0.RELEASE, =4.3.11.RELEASE Source cves: CVE-2017-8045 Source advisory: OSV:GHSA-VQQG-XGV7-CF68...

9.8CVSS7.2AI score0.03554EPSS
Exploits2
Github Security Blog
Github Security Blog
added 2022/05/17 12:16 a.m.28 views

Deserialization of Untrusted Data in Spring AMQP

In Pivotal Spring AMQP versions prior to 1.7.4, 1.6.11, and 1.5.7, an org.springframework.amqp.core.Message may be unsafely deserialized when being converted into a string. A malicious payload could be crafted to exploit this and enable a remote code execution attack...

9.8CVSS5.8AI score0.03554EPSS
Exploits2References4Affected Software1
vulnersOsv
vulnersOsv
added 2022/05/13 1:26 a.m.7 views

cc.voox:publisher (=0.1.2.GA), com.bluejeans:ipc-channel-utils (>=1.0 <=1.0.1) +141 more potentially affected by CVE-2016-2173 via org.springframework.amqp:spring-amqp (>=1.0.0.RELEASE <=1.5.4.RELEASE)

org.springframework.amqp:spring-amqp MAVEN version =1.0.0.RELEASE, =1.0, =1.0, =0.9.0, =0.20.0, =1.31.1, =1.27.1, =1.31.0, =1.31.1, =1.31.1, =1.31.1, =1.31.1, =1.31.1, =1.31.1, =1.34.1 - com.bq.oss.corbel:evci =1.20.0 and more Source cves: CVE-2016-2173 Source advisory: OSV:GHSA-HRP3-8P5W-27GV...

9.8CVSS7.2AI score0.06257EPSS
Exploits0
OSV
OSV
added 2022/05/13 1:26 a.m.19 views

GHSA-HRP3-8P5W-27GV Improper Input Validation in Spring AMQP

org.springframework.core.serializer.DefaultDeserializer in Spring AMQP before 1.5.5 allows remote attackers to execute arbitrary code...

9.8CVSS9.6AI score0.06257EPSS
Exploits0References6
Github Security Blog
Github Security Blog
added 2022/05/13 1:26 a.m.26 views

Improper Input Validation in Spring AMQP

org.springframework.core.serializer.DefaultDeserializer in Spring AMQP before 1.5.5 allows remote attackers to execute arbitrary code...

9.8CVSS7.4AI score0.06257EPSS
Exploits0References7Affected Software1
Rows per page
Query Builder