Vulnerabilites related to Spring by VMware - Spring Integration
cve-2020-5413
Vulnerability from cvelistv5
Published
2020-07-31 19:40
Modified
2024-09-16 16:22
Severity ?
EPSS score ?
Summary
Spring Integration framework provides Kryo Codec implementations as an alternative for Java (de)serialization. When Kryo is configured with default options, all unregistered classes are resolved on demand. This leads to the "deserialization gadgets" exploit when provided data contains malicious code for execution during deserialization. In order to protect against this type of attack, Kryo can be configured to require a set of trusted classes for (de)serialization. Spring Integration should be proactive against blocking unknown "deserialization gadgets" when configuring Kryo in code.
References
| ▼ | URL | Tags |
|---|---|---|
| https://tanzu.vmware.com/security/cve-2020-5413 | x_refsource_CONFIRM | |
| https://www.oracle.com/security-alerts/cpuApr2021.html | x_refsource_MISC | |
| https://www.oracle.com//security-alerts/cpujul2021.html | x_refsource_MISC | |
| https://www.oracle.com/security-alerts/cpuoct2021.html | x_refsource_MISC | |
| https://www.oracle.com/security-alerts/cpuapr2022.html | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Spring by VMware | Spring Integration |
Version: 4.3 < v4.3.23.RELEASE Version: 5.1 < v5.1.12.RELEASE Version: 5.2 < v5.2.8.RELEASE Version: 5.3 < v5.3.2.RELEASE |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:30:24.064Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://tanzu.vmware.com/security/cve-2020-5413"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Spring Integration",
"vendor": "Spring by VMware",
"versions": [
{
"lessThan": "v4.3.23.RELEASE",
"status": "affected",
"version": "4.3",
"versionType": "custom"
},
{
"lessThan": "v5.1.12.RELEASE",
"status": "affected",
"version": "5.1",
"versionType": "custom"
},
{
"lessThan": "v5.2.8.RELEASE",
"status": "affected",
"version": "5.2",
"versionType": "custom"
},
{
"lessThan": "v5.3.2.RELEASE",
"status": "affected",
"version": "5.3",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-07-23T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Spring Integration framework provides Kryo Codec implementations as an alternative for Java (de)serialization. When Kryo is configured with default options, all unregistered classes are resolved on demand. This leads to the \"deserialization gadgets\" exploit when provided data contains malicious code for execution during deserialization. In order to protect against this type of attack, Kryo can be configured to require a set of trusted classes for (de)serialization. Spring Integration should be proactive against blocking unknown \"deserialization gadgets\" when configuring Kryo in code."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502: Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-19T23:23:07",
"orgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
"shortName": "pivotal"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://tanzu.vmware.com/security/cve-2020-5413"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Kryo Configuration Allows Code Execution with Unknown \"Serialization Gadgets\"",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@pivotal.io",
"DATE_PUBLIC": "2020-07-23T00:00:00.000Z",
"ID": "CVE-2020-5413",
"STATE": "PUBLIC",
"TITLE": "Kryo Configuration Allows Code Execution with Unknown \"Serialization Gadgets\""
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Spring Integration",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "4.3",
"version_value": "v4.3.23.RELEASE"
},
{
"version_affected": "\u003c",
"version_name": "5.1",
"version_value": "v5.1.12.RELEASE"
},
{
"version_affected": "\u003c",
"version_name": "5.2",
"version_value": "v5.2.8.RELEASE"
},
{
"version_affected": "\u003c",
"version_name": "5.3",
"version_value": "v5.3.2.RELEASE"
}
]
}
}
]
},
"vendor_name": "Spring by VMware"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Spring Integration framework provides Kryo Codec implementations as an alternative for Java (de)serialization. When Kryo is configured with default options, all unregistered classes are resolved on demand. This leads to the \"deserialization gadgets\" exploit when provided data contains malicious code for execution during deserialization. In order to protect against this type of attack, Kryo can be configured to require a set of trusted classes for (de)serialization. Spring Integration should be proactive against blocking unknown \"deserialization gadgets\" when configuring Kryo in code."
}
]
},
"impact": null,
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-502: Deserialization of Untrusted Data"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://tanzu.vmware.com/security/cve-2020-5413",
"refsource": "CONFIRM",
"url": "https://tanzu.vmware.com/security/cve-2020-5413"
},
{
"name": "https://www.oracle.com/security-alerts/cpuApr2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"name": "https://www.oracle.com//security-alerts/cpujul2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
"assignerShortName": "pivotal",
"cveId": "CVE-2020-5413",
"datePublished": "2020-07-31T19:40:19.970815Z",
"dateReserved": "2020-01-03T00:00:00",
"dateUpdated": "2024-09-16T16:22:53.854Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}