All Vulnerability Reports

CVE-2017-8045: Remote code execution in spring-amqp


Severity

High

Vendor

Spring by Pivotal

Description

In affected versions of Spring AMQP, a org.springframework.amqp.core.Message may be unsafely deserialized when being converted into a string. A malicious payload could be crafted to exploit this and enable a remote code execution attack.

Affected Pivotal Products and Versions

Severity is high unless otherwise noted.

  • Spring AMQP versions prior to 1.7.4, 1.6.11, and 1.5.7
Mitigation

Users of affected versions should apply the following mitigation:

  • Releases that have fixed this issue include:
    • Spring AMQP: 2.0.0, 1.7.4, 1.6.11, 1.5.7
Credit

This vulnerability was responsibly reported by Man Yue Mo from Semmle and lgtm.com.

References
History

2017-09-19: Initial vulnerability report published