Vulnerability-Lookup - Search a vulnerability

Search criteria

Vendor

Product

Assigner

Sources

Sort by

Order

CVE-2020-5413 (GCVE-0-2020-5413)

Vulnerability from cvelistv5 – Published: 2020-07-31 19:40 – Updated: 2024-09-16 16:22

Summary

Spring Integration framework provides Kryo Codec implementations as an alternative for Java (de)serialization. When Kryo is configured with default options, all unregistered classes are resolved on demand. This leads to the "deserialization gadgets" exploit when provided data contains malicious code for execution during deserialization. In order to protect against this type of attack, Kryo can be configured to require a set of trusted classes for (de)serialization. Spring Integration should be proactive against blocking unknown "deserialization gadgets" when configuring Kryo in code.

Severity ?

No CVSS data available.

CWE

CWE-502 - Deserialization of Untrusted Data

Assigner

pivotal

References

URL

Tags

	https://tanzu.vmware.com/security/cve-2020-5413	x_refsource_CONFIRM
	https://www.oracle.com/security-alerts/cpuApr2021.html	x_refsource_MISC
	https://www.oracle.com//security-alerts/cpujul2021.html	x_refsource_MISC
	https://www.oracle.com/security-alerts/cpuoct2021.html	x_refsource_MISC
	https://www.oracle.com/security-alerts/cpuapr2022.html	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	Spring by VMware	Spring Integration	Affected: 4.3 , < v4.3.23.RELEASE (custom) Affected: 5.1 , < v5.1.12.RELEASE (custom) Affected: 5.2 , < v5.2.8.RELEASE (custom) Affected: 5.3 , < v5.3.2.RELEASE (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T08:30:24.064Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://tanzu.vmware.com/security/cve-2020-5413"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Spring Integration",
          "vendor": "Spring by VMware",
          "versions": [
            {
              "lessThan": "v4.3.23.RELEASE",
              "status": "affected",
              "version": "4.3",
              "versionType": "custom"
            },
            {
              "lessThan": "v5.1.12.RELEASE",
              "status": "affected",
              "version": "5.1",
              "versionType": "custom"
            },
            {
              "lessThan": "v5.2.8.RELEASE",
              "status": "affected",
              "version": "5.2",
              "versionType": "custom"
            },
            {
              "lessThan": "v5.3.2.RELEASE",
              "status": "affected",
              "version": "5.3",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2020-07-23T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Spring Integration framework provides Kryo Codec implementations as an alternative for Java (de)serialization. When Kryo is configured with default options, all unregistered classes are resolved on demand. This leads to the \"deserialization gadgets\" exploit when provided data contains malicious code for execution during deserialization. In order to protect against this type of attack, Kryo can be configured to require a set of trusted classes for (de)serialization. Spring Integration should be proactive against blocking unknown \"deserialization gadgets\" when configuring Kryo in code."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-502",
              "description": "CWE-502: Deserialization of Untrusted Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-04-19T23:23:07",
        "orgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
        "shortName": "pivotal"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://tanzu.vmware.com/security/cve-2020-5413"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Kryo Configuration Allows Code Execution with Unknown \"Serialization Gadgets\"",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@pivotal.io",
          "DATE_PUBLIC": "2020-07-23T00:00:00.000Z",
          "ID": "CVE-2020-5413",
          "STATE": "PUBLIC",
          "TITLE": "Kryo Configuration Allows Code Execution with Unknown \"Serialization Gadgets\""
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Spring Integration",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "4.3",
                            "version_value": "v4.3.23.RELEASE"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_name": "5.1",
                            "version_value": "v5.1.12.RELEASE"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_name": "5.2",
                            "version_value": "v5.2.8.RELEASE"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_name": "5.3",
                            "version_value": "v5.3.2.RELEASE"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Spring by VMware"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Spring Integration framework provides Kryo Codec implementations as an alternative for Java (de)serialization. When Kryo is configured with default options, all unregistered classes are resolved on demand. This leads to the \"deserialization gadgets\" exploit when provided data contains malicious code for execution during deserialization. In order to protect against this type of attack, Kryo can be configured to require a set of trusted classes for (de)serialization. Spring Integration should be proactive against blocking unknown \"deserialization gadgets\" when configuring Kryo in code."
            }
          ]
        },
        "impact": null,
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-502: Deserialization of Untrusted Data"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://tanzu.vmware.com/security/cve-2020-5413",
              "refsource": "CONFIRM",
              "url": "https://tanzu.vmware.com/security/cve-2020-5413"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpuApr2021.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
            },
            {
              "name": "https://www.oracle.com//security-alerts/cpujul2021.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
            }
          ]
        },
        "source": {
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
    "assignerShortName": "pivotal",
    "cveId": "CVE-2020-5413",
    "datePublished": "2020-07-31T19:40:19.970815Z",
    "dateReserved": "2020-01-03T00:00:00",
    "dateUpdated": "2024-09-16T16:22:53.854Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2020-5413 (GCVE-0-2020-5413)

Vulnerability from nvd – Published: 2020-07-31 19:40 – Updated: 2024-09-16 16:22

Summary

Spring Integration framework provides Kryo Codec implementations as an alternative for Java (de)serialization. When Kryo is configured with default options, all unregistered classes are resolved on demand. This leads to the "deserialization gadgets" exploit when provided data contains malicious code for execution during deserialization. In order to protect against this type of attack, Kryo can be configured to require a set of trusted classes for (de)serialization. Spring Integration should be proactive against blocking unknown "deserialization gadgets" when configuring Kryo in code.

Severity ?

No CVSS data available.

CWE

CWE-502 - Deserialization of Untrusted Data

Assigner

pivotal

References

URL

Tags

	https://tanzu.vmware.com/security/cve-2020-5413	x_refsource_CONFIRM
	https://www.oracle.com/security-alerts/cpuApr2021.html	x_refsource_MISC
	https://www.oracle.com//security-alerts/cpujul2021.html	x_refsource_MISC
	https://www.oracle.com/security-alerts/cpuoct2021.html	x_refsource_MISC
	https://www.oracle.com/security-alerts/cpuapr2022.html	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	Spring by VMware	Spring Integration	Affected: 4.3 , < v4.3.23.RELEASE (custom) Affected: 5.1 , < v5.1.12.RELEASE (custom) Affected: 5.2 , < v5.2.8.RELEASE (custom) Affected: 5.3 , < v5.3.2.RELEASE (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T08:30:24.064Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://tanzu.vmware.com/security/cve-2020-5413"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Spring Integration",
          "vendor": "Spring by VMware",
          "versions": [
            {
              "lessThan": "v4.3.23.RELEASE",
              "status": "affected",
              "version": "4.3",
              "versionType": "custom"
            },
            {
              "lessThan": "v5.1.12.RELEASE",
              "status": "affected",
              "version": "5.1",
              "versionType": "custom"
            },
            {
              "lessThan": "v5.2.8.RELEASE",
              "status": "affected",
              "version": "5.2",
              "versionType": "custom"
            },
            {
              "lessThan": "v5.3.2.RELEASE",
              "status": "affected",
              "version": "5.3",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2020-07-23T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Spring Integration framework provides Kryo Codec implementations as an alternative for Java (de)serialization. When Kryo is configured with default options, all unregistered classes are resolved on demand. This leads to the \"deserialization gadgets\" exploit when provided data contains malicious code for execution during deserialization. In order to protect against this type of attack, Kryo can be configured to require a set of trusted classes for (de)serialization. Spring Integration should be proactive against blocking unknown \"deserialization gadgets\" when configuring Kryo in code."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-502",
              "description": "CWE-502: Deserialization of Untrusted Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-04-19T23:23:07",
        "orgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
        "shortName": "pivotal"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://tanzu.vmware.com/security/cve-2020-5413"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Kryo Configuration Allows Code Execution with Unknown \"Serialization Gadgets\"",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@pivotal.io",
          "DATE_PUBLIC": "2020-07-23T00:00:00.000Z",
          "ID": "CVE-2020-5413",
          "STATE": "PUBLIC",
          "TITLE": "Kryo Configuration Allows Code Execution with Unknown \"Serialization Gadgets\""
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Spring Integration",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "4.3",
                            "version_value": "v4.3.23.RELEASE"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_name": "5.1",
                            "version_value": "v5.1.12.RELEASE"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_name": "5.2",
                            "version_value": "v5.2.8.RELEASE"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_name": "5.3",
                            "version_value": "v5.3.2.RELEASE"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Spring by VMware"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Spring Integration framework provides Kryo Codec implementations as an alternative for Java (de)serialization. When Kryo is configured with default options, all unregistered classes are resolved on demand. This leads to the \"deserialization gadgets\" exploit when provided data contains malicious code for execution during deserialization. In order to protect against this type of attack, Kryo can be configured to require a set of trusted classes for (de)serialization. Spring Integration should be proactive against blocking unknown \"deserialization gadgets\" when configuring Kryo in code."
            }
          ]
        },
        "impact": null,
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-502: Deserialization of Untrusted Data"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://tanzu.vmware.com/security/cve-2020-5413",
              "refsource": "CONFIRM",
              "url": "https://tanzu.vmware.com/security/cve-2020-5413"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpuApr2021.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
            },
            {
              "name": "https://www.oracle.com//security-alerts/cpujul2021.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
            }
          ]
        },
        "source": {
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
    "assignerShortName": "pivotal",
    "cveId": "CVE-2020-5413",
    "datePublished": "2020-07-31T19:40:19.970815Z",
    "dateReserved": "2020-01-03T00:00:00",
    "dateUpdated": "2024-09-16T16:22:53.854Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Search criteria

2 vulnerabilities found for Spring Integration by Spring by VMware

CVE-2020-5413 (GCVE-0-2020-5413)

CVE-2020-5413 (GCVE-0-2020-5413)