Vulnerability Description
In spring AMQP versions 1.0.0 to 2.4.16 and 3.0.0 to 3.0.9 , allowed list patterns for deserializable class names were added to Spring AMQP, allowing users to lock down deserialization of data in messages from untrusted sources; however by default, when no allowed list was provided, all classes could be deserialized. Specifically, an application is vulnerable if * the SimpleMessageConverter or SerializerMessageConverter is used * the user does not configure allowed list patterns * untrusted message originators gain permissions to write messages to the RabbitMQ broker to send malicious content
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Vmware | Spring Advanced Message Queuing Protocol | >= 1.0.0, < 2.4.16 |
Related Weaknesses (CWE)
References
- https://spring.io/security/cve-2023-34050MitigationVendor Advisory
- https://spring.io/security/cve-2023-34050MitigationVendor Advisory
FAQ
What is CVE-2023-34050?
CVE-2023-34050 is a vulnerability with a CVSS score of 5.0 (MEDIUM). In spring AMQP versions 1.0.0 to 2.4.16 and 3.0.0 to 3.0.9 , allowed list patterns for deserializable class names were added to Spring AMQP, allowing users to lock down deserialization of da...
How severe is CVE-2023-34050?
CVE-2023-34050 has been rated MEDIUM with a CVSS base score of 5.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-34050?
Check the references section above for vendor advisories and patch information. Affected products include: Vmware Spring Advanced Message Queuing Protocol.