6525 matches found
Pivotal Software Spring Integration Code Issue Vulnerability
Pivotal Software Spring Integration is an enterprise integration pattern from Pivotal Software, USA. The product is designed to enable lightweight messaging in Spring-based applications and supports integration with tail systems via declarative adapters. A code issue vulnerability exists in Pivot...
cn.strongculture:prometheus-spring-boot-starter (=1.0.0), com.buession.springcloud.stream:buession-springcloud-stream-core (>=2.2.1 <=2.3.3) +105 more potentially affected by CVE-2020-5413 via org.springframework.integration:spring-integration-core (>=5.3.0.RELEASE <=5.3.1.RELEASE)
org.springframework.integration:spring-integration-core MAVEN version =5.3.0.RELEASE, =2.2.1, =2.2.1, =2.2.1, =2.2.1, =2.2.1, =2.2.1, =2.2.1, =2.2.1, =2.2.1, =2.2.1, =2.2.1, =2.2.1, =2.2.1, =2.3.3...
ai.hyacinth.framework:core-service-bus-support (=0.5.24), cc.cc4414:cc-spring-auth-server (=0.5.1) +406 more potentially affected by CVE-2020-5413 via org.springframework.integration:spring-integration-core (>=5.2.0.RELEASE <=5.2.7.RELEASE)
org.springframework.integration:spring-integration-core MAVEN version =5.2.0.RELEASE, =5.2.7.RELEASE is affected by a known vulnerability. The following packages have a transitive dependency on org.springframework.integration:spring-integration-core and may be impacted: -...
Code execution in Spring Integration
Spring Integration framework provides Kryo Codec implementations as an alternative for Java deserialization. When Kryo is configured with default options, all unregistered classes are resolved on demand. This leads to the "deserialization gadgets" exploit when provided data contains malicious cod...
GHSA-86QR-9VQC-PGC6 Code execution in Spring Integration
Spring Integration framework provides Kryo Codec implementations as an alternative for Java deserialization. When Kryo is configured with default options, all unregistered classes are resolved on demand. This leads to the "deserialization gadgets" exploit when provided data contains malicious cod...
com.alipay.sofa:tracer-sofa-boot-starter (>=3.1.0 <=3.1.2), com.pleosoft:pleosoft-spring-boot-starter (=1.0.5-RELEASE) +40 more potentially affected by CVE-2020-5413 via org.springframework.integration:spring-integration-core (>=5.1.0.RELEASE <=5.1.11.RELEASE)
org.springframework.integration:spring-integration-core MAVEN version =5.1.0.RELEASE, =3.1.0, =0.2.0.RELEASE, =2.23.0, =2.23.0, =2.1.0.RELEASE, =5.1.0.RELEASE, =5.1.0.RELEASE, =5.1.0.RELEASE, =5.1.0.RELEASE, =5.1.0.RELEASE, =5.1.0.RELEASE, =5.1.11.RELEASE - org.springframework.integration:spring...
br.jus.stf.digital:core (=0.1.0), cn.home1:spring-cloud-config-monitor (>=0.0.1 <=1.0.1.U1) +646 more potentially affected by CVE-2020-5413 via org.springframework.integration:spring-integration-core (>=4.3.0.RELEASE <=4.3.22.RELEASE)
org.springframework.integration:spring-integration-core MAVEN version =4.3.0.RELEASE, =0.0.1, =0.0.1, =A.1.0.0, =A.1.0.0, =A.1.1.0, =A.1.0.0, =A.1.1.0, =A.1.0.0, =A.1.0.0, =1.1.2-RELEASE, =1.1.2-RELEASE, =1.1.2-RELEASE, =1.1.2-RELEASE, =1.1.2-RELEASE, =1.1.12-RELEASE and more Source cves:...
Remote Code Execution
spring-batch-core is vulnerable to remote code execution. The upgrade of Jackson in 4.2.3.RELEASE enabled default typing by default and resulted in Spring Batch to be vulnerable to untrusted deserialization. An attacker will be able to execute arbitrary code if ExecutionContext is serialized and...
CVE-2020-5413
Spring Integration framework provides Kryo Codec implementations as an alternative for Java deserialization. When Kryo is configured with default options, all unregistered classes are resolved on demand. This leads to the "deserialization gadgets" exploit when provided data contains malicious cod...
CVE-2020-5413
Spring Integration framework provides Kryo Codec implementations as an alternative for Java deserialization. When Kryo is configured with default options, all unregistered classes are resolved on demand. This leads to the "deserialization gadgets" exploit when provided data contains malicious cod...
Deserialization of untrusted data
Spring Integration framework provides Kryo Codec implementations as an alternative for Java deserialization. When Kryo is configured with default options, all unregistered classes are resolved on demand. This leads to the "deserialization gadgets" exploit when provided data contains malicious cod...
CVE-2020-5411
When configured to enable default typing, Jackson contained a deserialization vulnerability that could lead to arbitrary code execution. Jackson fixed this vulnerability by blacklisting known "deserialization gadgets". Spring Batch configures Jackson with global default typing enabled which means...
CVE-2020-5413
CVE-2020-5413 affects Spring Integration Kryo-based (de)serialization. When Kryo is configured with default options, unregistered classes can be resolved on demand, enabling deserialization gadgets to execute malicious code during data intake. The provided connected documents confirm the issue an...
CVE-2020-5413 Kryo Configuration Allows Code Execution with Unknown "Serialization Gadgets"
Spring Integration framework provides Kryo Codec implementations as an alternative for Java deserialization. When Kryo is configured with default options, all unregistered classes are resolved on demand. This leads to the "deserialization gadgets" exploit when provided data contains malicious cod...
jackson-databind: Serialization gadgets in org.springframework:spring-aop
A flaw was found in jackson-databind 2.x. The interaction between serialization gadgets and typing is mishandled. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability...
jackson-databind: Serialization gadgets in org.springframework:spring-aop
A flaw was found in jackson-databind 2.x. The interaction between serialization gadgets and typing is mishandled. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability...
jackson-databind: Serialization gadgets in org.springframework:spring-aop
A flaw was found in jackson-databind 2.x. The interaction between serialization gadgets and typing is mishandled. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability...
Important: Red Hat Security Advisory: Red Hat Fuse 7.7.0 release and security update
A minor version update from 7.6 to 7.7 is now available for Red Hat Fuse. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring...
spring-data-jpa: Additional information exposure with Spring Data JPA derived queries
This affects Spring Data JPA in versions up to and including 2.1.5, 2.0.13 and 1.11.19. Derived queries using any of the predicates ‘startingWith’, ‘endingWith’ or ‘containing’ could return more results than anticipated when a maliciously crafted query parameter value is supplied. Also, LIKE...
jackson-databind: Serialization gadgets in org.springframework:spring-aop
A flaw was found in jackson-databind 2.x. The interaction between serialization gadgets and typing is mishandled. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability...