Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2020-5413

Good to know:

icon
icon

Date: July 31, 2020

Spring Integration framework provides Kryo Codec implementations as an alternative for Java (de)serialization. When Kryo is configured with default options, all unregistered classes are resolved on demand. This leads to the "deserialization gadgets" exploit when provided data contains malicious code for execution during deserialization. In order to protect against this type of attack, Kryo can be configured to require a set of trusted classes for (de)serialization. Spring Integration should be proactive against blocking unknown "deserialization gadgets" when configuring Kryo in code.

Language: Java

Severity Score

Related Resources (9)

https://nvd.nist.gov/vuln/detail/CVE-2020-5413
https://www.oracle.com/security-alerts/cpuApr2021.html
https://tanzu.vmware.com/security/cve-2020-5413
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com//security-alerts/cpujul2021.html
https://github.com/spring-projects/spring-integration
https://github.com/spring-projects/spring-integration/commit/6a02b5abe97fabab6003d51b98dd45ab009a6e05
https://www.oracle.com/security-alerts/cpuoct2021.html
https://www.mend.io/vulnerability-database/CVE-2020-5413

Severity Score

Weakness Type (CWE)

Deserialization of Untrusted Data

CWE-502

Top Fix

icon

Upgrade Version

Upgrade to version org.springframework.integration:spring-integration-core:4.3.23,org.springframework.integration:spring-integration-core:5.1.12,org.springframework.integration:spring-integration-core:5.2.8,org.springframework.integration:spring-integration-core:5.3.2

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): HIGH
Integrity (I): HIGH
Availability (A): HIGH

CVSS v2

Base Score:
Access Vector (AV): NETWORK
Access Complexity (AC): LOW
Authentication (AU): NONE
Confidentiality (C): PARTIAL
Integrity (I): PARTIAL
Availability (A): PARTIAL
Additional information:

Do you need more information?

Contact Us