Lucene search

Veracode Vulnerability DatabaseVERACODE:42990

HistoryAug 29, 2023 - 8:56 a.m.

Deserialization Of Untrusted Data

2023-08-2908:56:38

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

155

vulnerability

spring-kafka

untrusted data

serialization

exception record headers

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

0.0004 Low

EPSS

Percentile

12.9%

JSON

org.springframework.kafka, spring-kafka is vulnerable to Deserialization Of Untrusted Data. The vulnerability is caused by not setting ErrorHandlingDeserializer when checkDeserExWhenKeyNull or checkDeserExWhenValueNull container properties are set to true. An attacker can construct a malicious serialized object in one of the deserialization exception record headers to exploit this vulnerability.

CPENameOperatorVersion
spring kafka supportle2.9.10
spring kafka supportle3.0.9
spring kafka supportle2.9.10
spring kafka supportle3.0.9

Name	Operator	Version
spring kafka support	le	2.9.10
spring kafka support	le	3.0.9
spring kafka support	le	2.9.10
spring kafka support	le	3.0.9

References

github.com/advisories/GHSA-crqf-q9fp-hwjw

github.com/spring-projects/spring-kafka/commit/25ac793a78725e2ca4a3a2888a1506a4bfcf0c9d

spring.io/security/cve-2023-34040

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

0.0004 Low

EPSS

Percentile

12.9%

JSON

Related for VERACODE:42990