Spring AMQP CVE-2023-34050: Default deserialization allows all classes
CVE-2023-34050 Published on October 19, 2023
Spring AMQP Deserialization Vulnerability
In spring AMQP versions 1.0.0 to
2.4.16 and 3.0.0 to 3.0.9 , allowed list patterns for deserializable class
names were added to Spring AMQP, allowing users to lock down deserialization of
data in messages from untrusted sources; however by default, when no allowed
list was provided, all classes could be deserialized.
Specifically, an application is
vulnerable if
* the
SimpleMessageConverter or SerializerMessageConverter is used
* the user
does not configure allowed list patterns
* untrusted
message originators gain permissions to write messages to the RabbitMQ
broker to send malicious content
Vulnerability Analysis
CVE-2023-34050 is exploitable with network access, and requires user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, with no impact on integrity, and a high impact on availability.
Products Associated with CVE-2023-34050
Want to know whenever a new CVE is published for VMware Spring Advanced Message Queuing Protocol? stack.watch will email you.
Affected Versions
Spring AMQP:- Version 1.0.0 and below 2.4.17 is affected.
- Version 3.0.0 and below 3.0.10 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.