Spring Amqp
Approved changes feed: RSS · Atom
cpe:2.3:a:spring:spring_amqp:*:*:*:*:*:*:*:*
part: a version: * update: *
| Vendor | Spring (4c7a31af-cbd7-516f-b1ce-2d5f574797bc) |
|---|---|
| Product | Spring Amqp (459047cc-b6e9-5490-a02e-468f062ef415) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from gcve-enriched-dumps CVE data |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
| No PURL mappings for this CPE yet. | ||
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2023-34050 |
vulnerable | 2026-06-03 14:52:15.519187 |
Spring AMQP Deserialization Vulnerability
MEDIUM (5)
In spring AMQP versions 1.0.0 to
2.4.16 and 3.0.0 to 3.0.9 , allowed list patterns for deserializable class
names were added to Spring AMQP, allowing users to lock down deserialization of
data in messages from untrusted sources; however by default, when no allowed
list was provided, all classes could be deserialized.
Specifically, an application is
vulnerable if
* the
SimpleMessageConverter or SerializerMessageConverter is used
* the user
does not configure allowed list patterns
* untrusted
message originators gain permissions to write messages to the RabbitMQ
broker to send malicious content
Published: 2023-10-19T07:11:35.038Z
Updated: 2024-09-12T17:58:46.718Z Reference links |
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.