Path to dependency file: /commons/pac-api-commons/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/amqp/spring-amqp/2.0.5.RELEASE/spring-amqp-2.0.5.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/amqp/spring-amqp/2.0.5.RELEASE/spring-amqp-2.0.5.RELEASE.jar
In spring AMQP versions 1.0.0 to
2.4.16 and 3.0.0 to 3.0.9 , allowed list patterns for deserializable class
names were added to Spring AMQP, allowing users to lock down deserialization of
data in messages from untrusted sources; however by default, when no allowed
list was provided, all classes could be deserialized.
Specifically, an application is
vulnerable if
* the
SimpleMessageConverter or SerializerMessageConverter is used
* the user
does not configure allowed list patterns
* untrusted
message originators gain permissions to write messages to the RabbitMQ
broker to send malicious content
CVE-2023-34050 - Medium Severity Vulnerability
Spring AMQP Core
Library home page: http://spring.io
Path to dependency file: /commons/pac-api-commons/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/amqp/spring-amqp/2.0.5.RELEASE/spring-amqp-2.0.5.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/amqp/spring-amqp/2.0.5.RELEASE/spring-amqp-2.0.5.RELEASE.jar
Dependency Hierarchy: - spring-cloud-starter-bus-amqp-2.0.0.RELEASE.jar (Root Library) - spring-cloud-starter-stream-rabbit-2.0.0.RELEASE.jar - spring-cloud-stream-binder-rabbit-2.0.0.RELEASE.jar - spring-cloud-stream-binder-rabbit-core-2.0.0.RELEASE.jar - spring-boot-starter-amqp-2.0.4.RELEASE.jar - spring-rabbit-2.0.5.RELEASE.jar - :x: **spring-amqp-2.0.5.RELEASE.jar** (Vulnerable Library)
Found in HEAD commit: acf9a0620c1a37cee4f2896d71e1c3731c5c7b06
Found in base branch: master
In spring AMQP versions 1.0.0 to 2.4.16 and 3.0.0 to 3.0.9 , allowed list patterns for deserializable class names were added to Spring AMQP, allowing users to lock down deserialization of data in messages from untrusted sources; however by default, when no allowed list was provided, all classes could be deserialized. Specifically, an application is vulnerable if * the SimpleMessageConverter or SerializerMessageConverter is used * the user does not configure allowed list patterns * untrusted message originators gain permissions to write messages to the RabbitMQ broker to send malicious content
Publish Date: 2023-10-19
URL: CVE-2023-34050
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: High - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: High
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://spring.io/security/cve-2023-34050
Release Date: 2023-10-19
Fix Resolution (org.springframework.amqp:spring-amqp): 2.4.17
Direct dependency fix Resolution (org.springframework.cloud:spring-cloud-starter-bus-amqp): 3.1.2