Closed mend-bolt-for-github[bot] closed 2 years ago
:heavy_check_mark: This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.
CVE-2020-5413 - High Severity Vulnerability
Vulnerable Library - spring-integration-core-5.2.4.RELEASE.jar
Spring Integration Core
Library home page: https://projects.spring.io/spring-integration
Path to dependency file: WinterEE/WinterEE-Core-Serve/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/integration/spring-integration-core/5.2.4.RELEASE/spring-integration-core-5.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/integration/spring-integration-core/5.2.4.RELEASE/spring-integration-core-5.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/integration/spring-integration-core/5.2.4.RELEASE/spring-integration-core-5.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/integration/spring-integration-core/5.2.4.RELEASE/spring-integration-core-5.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/integration/spring-integration-core/5.2.4.RELEASE/spring-integration-core-5.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/integration/spring-integration-core/5.2.4.RELEASE/spring-integration-core-5.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/integration/spring-integration-core/5.2.4.RELEASE/spring-integration-core-5.2.4.RELEASE.jar
Dependency Hierarchy: - spring-cloud-config-monitor-2.2.2.RELEASE.jar (Root Library) - spring-cloud-bus-2.2.1.RELEASE.jar - :x: **spring-integration-core-5.2.4.RELEASE.jar** (Vulnerable Library)
Found in HEAD commit: 9d57f3481f4a0f678edb6631b7924d697b67b48b
Found in base branch: master
Vulnerability Details
Spring Integration framework provides Kryo Codec implementations as an alternative for Java (de)serialization. When Kryo is configured with default options, all unregistered classes are resolved on demand. This leads to the "deserialization gadgets" exploit when provided data contains malicious code for execution during deserialization. In order to protect against this type of attack, Kryo can be configured to require a set of trusted classes for (de)serialization. Spring Integration should be proactive against blocking unknown "deserialization gadgets" when configuring Kryo in code.
Publish Date: 2020-07-31
URL: CVE-2020-5413
CVSS 3 Score Details (9.8)
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2020-5413
Release Date: 2020-08-04
Fix Resolution: org.springframework.integration:spring-integration-core:4.3.23,org.springframework.integration:spring-integration-core:5.1.12,org.springframework.integration:spring-integration-core:5.2.8,org.springframework.integration:spring-integration-core:5.3.2
Step up your Open Source Security Game with WhiteSource here