CVE-2020-5413 — Code execution in Spring Integration

描述

Spring Integration framework provides Kryo Codec implementations as an alternative for Java (de)serialization. When Kryo is configured with default options, all unregistered classes are resolved on demand. This leads to the "deserialization gadgets" exploit when provided data contains malicious code for execution during deserialization. In order to protect against this type of attack, Kryo can be configured to require a set of trusted classes for (de)serialization. Spring Integration should be proactive against blocking unknown "deserialization gadgets" when configuring Kryo in code.

如何修補 CVE-2020-5413

要修補 CVE-2020-5413,請將受影響套件升級到下列已修補版本。

—升級至 4.3.23 或更新版本

CVE-2020-5413 正在被利用嗎?

低 — EPSS 為 1.8%,目前沒有觀察到大規模利用活動。

受影響套件(1)

>= 4.3.0, < 4.3.23

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

參考連結(8)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-5413
PATCHgithub.com/spring-projects/spring-integration
WEBgithub.com/spring-projects/spring-integration/commit/6a02b5abe97fabab6003d51b98dd45ab009a6e05
WEBtanzu.vmware.com/security/cve-2020-5413