Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
4.3
CVSSv3

CVE-2023-34050

Published: 19/10/2023 Updated: 25/10/2023
CVSS v3 Base Score: 4.3 | Impact Score: 1.4 | Exploitability Score: 2.8
VMScore: 0
Subscribe to Vmware

Vulnerability Summary

In spring AMQP versions 1.0.0 to 2.4.16 and 3.0.0 to 3.0.9 , allowed list patterns for deserializable class names were added to Spring AMQP, allowing users to lock down deserialization of data in messages from untrusted sources; however by default, when no allowed list was provided, all classes could be deserialized. Specifically, an application is vulnerable if * the SimpleMessageConverter or SerializerMessageConverter is used * the user does not configure allowed list patterns * untrusted message originators gain permissions to write messages to the RabbitMQ broker to send malicious content

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

vmware spring advanced message queuing protocol

Vendor Advisories

Red Hat: Moderate: AMQ Clients 2023.Q4
概述 Moderate: AMQ Clients 2023Q4 类型/严重性 Security Advisory: Moderate 标题 An update is now available for Red Hat AMQ ClientsRed Hat Product Security has rated this update as having an impact ofModerateA Common Vulnerability Scoring System (CVSS) base score, which gives a detailedseverity rating, is available for each vulnerabi ...

Github Repositories

https://github.com/X1r0z/spring-amqp-deserialization

PoC of Spring AMQP Deserialization Vulnerability (CVE-2023-34050)

spring-amqp-deserialization A Proof of Concept of Spring AMQP Deserialization Vulnerability (CVE-2023-34050) Affected versions: 100 to 2416 300 to 309 Reference: springio/security/cve-2023-34050

References

CWE-502https://spring.io/security/cve-2023-34050https://access.redhat.com/errata/RHSA-2023:7697https://nvd.nist.govhttps://github.com/X1r0z/spring-amqp-deserialization
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2020-4463CVE-2024-3400deserializationCVE-2024-21788CVE-2023-42433CVE-2024-21841CVE-2024-22095local file inclusionmemory leak
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook