Spring Integration
Approved changes feed: RSS · Atom
cpe:2.3:a:spring_by_vmware:spring_integration:*:*:*:*:*:*:*:*
part: a version: * update: *
| Vendor | Spring By Vmware (e0b0b549-71d2-5c8a-be30-1f02c144ba93) |
|---|---|
| Product | Spring Integration (1d6d0b6b-cbbe-5456-b2ad-63e64d0fdc81) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from gcve-enriched-dumps CVE data |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
| No PURL mappings for this CPE yet. | ||
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2020-5413 |
vulnerable | 2026-06-08 05:26:42.801689 |
Kryo Configuration Allows Code Execution with Unknown "Serialization Gadgets"
Spring Integration framework provides Kryo Codec implementations as an alternative for Java (de)serialization. When Kryo is configured with default options, all unregistered classes are resolved on demand. This leads to the "deserialization gadgets" exploit when provided data contains malicious code for execution during deserialization. In order to protect against this type of attack, Kryo can be configured to require a set of trusted classes for (de)serialization. Spring Integration should be proactive against blocking unknown "deserialization gadgets" when configuring Kryo in code.
Published: 2020-07-31T19:40:19.970Z
Updated: 2024-09-16T16:22:53.854Z |
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.