{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-34050", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "state": "PUBLISHED", "assignerShortName": "vmware", "dateReserved": "2023-05-25T17:21:56.203Z", "datePublished": "2023-10-19T07:11:35.038Z", "dateUpdated": "2024-09-12T17:58:46.718Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["MacOS", "Linux", "iOS", "Android", "x86", "ARM", "64 bit", "Windows", "32 bit"], "product": "Spring AMQP", "vendor": "Spring", "versions": [{"lessThan": "2.4.17", "status": "affected", "version": "1.0.0", "versionType": "2.4.17"}, {"lessThan": "3.0.10", "status": "affected", "version": "3.0.0", "versionType": "3.0.10"}]}], "datePublic": "2023-10-18T06:52:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\n\n\n\n\n\n\n\n\n\n<p>In spring AMQP versions 1.0.0 to\n2.4.16 and 3.0.0 to 3.0.9 , allowed list patterns for deserializable class\nnames were added to Spring AMQP, allowing users to lock down deserialization of\ndata in messages from untrusted sources; however by default, when no allowed\nlist was provided, all classes could be deserialized.</p>\n\n<p>Specifically, an application is\nvulnerable if</p>\n\n<ul>\n <li>the\n SimpleMessageConverter or SerializerMessageConverter is used</li>\n <li>the user\n does not configure allowed list patterns</li>\n <li>untrusted\n message originators gain permissions to write messages to the RabbitMQ\n broker to send malicious content</li>\n</ul>\n\n\n\n\n\n"}], "value": "\n\n\n\n\n\n\n\n\n\nIn spring AMQP versions 1.0.0 to\n2.4.16 and 3.0.0 to 3.0.9 , allowed list patterns for deserializable class\nnames were added to Spring AMQP, allowing users to lock down deserialization of\ndata in messages from untrusted sources; however by default, when no allowed\nlist was provided, all classes could be deserialized.\n\n\n\nSpecifically, an application is\nvulnerable if\n\n\n\n\n * the\n SimpleMessageConverter or SerializerMessageConverter is used\n\n * the user\n does not configure allowed list patterns\n\n * untrusted\n message originators gain permissions to write messages to the RabbitMQ\n broker to send malicious content\n\n\n\n\n\n\n\n\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2023-10-19T07:11:35.038Z"}, "references": [{"url": "https://spring.io/security/cve-2023-34050"}], "source": {"discovery": "UNKNOWN"}, "title": "Spring AMQP Deserialization Vulnerability", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T16:01:52.410Z"}, "title": "CVE Program Container", "references": [{"url": "https://spring.io/security/cve-2023-34050", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-12T17:58:30.805271Z", "id": "CVE-2023-34050", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-12T17:58:46.718Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://spring.io/security/cve-2023-34050", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T16:01:52.410Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-34050", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-12T17:58:30.805271Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-12T17:58:39.810Z"}}], "cna": {"title": "Spring AMQP Deserialization Vulnerability", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Spring", "product": "Spring AMQP", "versions": [{"status": "affected", "version": "1.0.0", "lessThan": "2.4.17", "versionType": "2.4.17"}, {"status": "affected", "version": "3.0.0", "lessThan": "3.0.10", "versionType": "3.0.10"}], "platforms": ["MacOS", "Linux", "iOS", "Android", "x86", "ARM", "64 bit", "Windows", "32 bit"], "defaultStatus": "unaffected"}], "datePublic": "2023-10-18T06:52:00.000Z", "references": [{"url": "https://spring.io/security/cve-2023-34050"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "\n\n\n\n\n\n\n\n\n\nIn spring AMQP versions 1.0.0 to\n2.4.16 and 3.0.0 to 3.0.9 , allowed list patterns for deserializable class\nnames were added to Spring AMQP, allowing users to lock down deserialization of\ndata in messages from untrusted sources; however by default, when no allowed\nlist was provided, all classes could be deserialized.\n\n\n\nSpecifically, an application is\nvulnerable if\n\n\n\n\n * the\n SimpleMessageConverter or SerializerMessageConverter is used\n\n * the user\n does not configure allowed list patterns\n\n * untrusted\n message originators gain permissions to write messages to the RabbitMQ\n broker to send malicious content\n\n\n\n\n\n\n\n\n\n", "supportingMedia": [{"type": "text/html", "value": "\n\n\n\n\n\n\n\n\n\n\n<p>In spring AMQP versions 1.0.0 to\n2.4.16 and 3.0.0 to 3.0.9 , allowed list patterns for deserializable class\nnames were added to Spring AMQP, allowing users to lock down deserialization of\ndata in messages from untrusted sources; however by default, when no allowed\nlist was provided, all classes could be deserialized.</p>\n\n<p>Specifically, an application is\nvulnerable if</p>\n\n<ul>\n <li>the\n SimpleMessageConverter or SerializerMessageConverter is used</li>\n <li>the user\n does not configure allowed list patterns</li>\n <li>untrusted\n message originators gain permissions to write messages to the RabbitMQ\n broker to send malicious content</li>\n</ul>\n\n\n\n\n\n", "base64": false}]}], "providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2023-10-19T07:11:35.038Z"}}}, "cveMetadata": {"cveId": "CVE-2023-34050", "state": "PUBLISHED", "dateUpdated": "2024-09-12T17:58:46.718Z", "dateReserved": "2023-05-25T17:21:56.203Z", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "datePublished": "2023-10-19T07:11:35.038Z", "assignerShortName": "vmware"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vmware:spring_advanced_message_queuing_protocol:*:*:*:*:*:*:*:*", "matchCriteriaId": "4750D156-5059-46DE-A787-62DA3319F372", "versionEndExcluding": "2.4.16", "versionStartIncluding": "1.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:spring_advanced_message_queuing_protocol:*:*:*:*:*:*:*:*", "matchCriteriaId": "D7E11342-A840-4A93-822A-2DAC86B9D4A5", "versionEndExcluding": "3.0.9", "versionStartIncluding": "3.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "\n\n\n\n\n\n\n\n\n\nIn spring AMQP versions 1.0.0 to\n2.4.16 and 3.0.0 to 3.0.9 , allowed list patterns for deserializable class\nnames were added to Spring AMQP, allowing users to lock down deserialization of\ndata in messages from untrusted sources; however by default, when no allowed\nlist was provided, all classes could be deserialized.\n\n\n\nSpecifically, an application is\nvulnerable if\n\n\n\n\n * the\n SimpleMessageConverter or SerializerMessageConverter is used\n\n * the user\n does not configure allowed list patterns\n\n * untrusted\n message originators gain permissions to write messages to the RabbitMQ\n broker to send malicious content\n\n\n\n\n\n\n\n\n\n"}, {"lang": "es", "value": "En las versiones Spring AMQP 1.0.0 a 2.4.16 y 3.0.0 a 3.0.9, se agregaron a Spring AMQP patrones de listas permitidas para nombres de clases deserializables, lo que permite a los usuarios bloquear la deserializaci\u00f3n de datos en mensajes de fuentes no confiables; sin embargo, de forma predeterminada, cuando no se proporcionaba una lista permitida, se pod\u00edan deserializar todas las clases. Espec\u00edficamente, una aplicaci\u00f3n es vulnerable si * se utiliza SimpleMessageConverter o SerializerMessageConverter * el usuario no configura los patrones de lista permitidos * los originadores de mensajes que no son de confianza obtienen permisos para escribir mensajes al agente RabbitMQ para enviar contenido malicioso"}], "id": "CVE-2023-34050", "lastModified": "2023-10-25T16:54:31.770", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H", "version": "3.1"}, "exploitabilityScore": 0.7, "impactScore": 4.2, "source": "security@vmware.com", "type": "Secondary"}]}, "published": "2023-10-19T08:15:08.357", "references": [{"source": "security@vmware.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://spring.io/security/cve-2023-34050"}], "sourceIdentifier": "security@vmware.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2023:7697", "cpe": "cpe:/a:redhat:amq_clients:2023_q4", "package": "org.amqphub.spring-amqp-10-jms-spring-boot-parent", "product_name": "AMQ Clients", "release_date": "2023-12-07T00:00:00Z"}], "bugzilla": {"description": "springframework-amqp: Deserialization Vulnerability", "id": "2246065", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2246065"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "status": "verified"}, "cwe": "CWE-502", "details": ["In spring AMQP versions 1.0.0 to\n2.4.16 and 3.0.0 to 3.0.9 , allowed list patterns for deserializable class\nnames were added to Spring AMQP, allowing users to lock down deserialization of\ndata in messages from untrusted sources; however by default, when no allowed\nlist was provided, all classes could be deserialized.\nSpecifically, an application is\nvulnerable if\n* the\nSimpleMessageConverter or SerializerMessageConverter is used\n* the user\ndoes not configure allowed list patterns\n* untrusted\nmessage originators gain permissions to write messages to the RabbitMQ\nbroker to send malicious content", "A flaw was found in Spring Framework AMQP. An allowed list exists in Spring AMQP, but when no allowed list is provided, all classes could be deserialized, allowing a malicious user to send harmful content to the broker."], "mitigation": {"lang": "en:us", "value": "An application may be vulnerable if:\n- The SimpleMessageConverter or SerializerMessageConverter is used \n- The user does not configure allowed list patterns \n- Untrusted message originators gain permissions to write messages to the RabbitMQ broker to send malicious content\nMake sure these are avoided in order to mitigate the issue."}, "name": "CVE-2023-34050", "package_state": [{"cpe": "cpe:/a:redhat:a_mq_clients:2", "fix_state": "Affected", "package_name": "org.amqphub.spring-amqp-10-jms-spring-boot-parent", "product_name": "A-MQ Clients 2"}, {"cpe": "cpe:/a:redhat:a_mq_clients:2", "fix_state": "Not affected", "package_name": "org.apache.logging.log4j-log4j", "product_name": "A-MQ Clients 2"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:3", "fix_state": "Affected", "package_name": "spring-amqp", "product_name": "Red Hat build of Apache Camel for Spring Boot 3"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "log4j", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2023-10-19T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-34050\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-34050\nhttps://spring.io/security/cve-2023-34050"], "statement": "This flaw requires previous knowledge and access to the messages in order to get them deserialized and possibly leak information. It also requires missing server side configurations to prevent unwanted behavior. Therefore, this is rated as a Moderate impact.", "threat_severity": "Moderate", "upstream_fix": "spring-amqp 2.7.17, spring-amqp 3.0.12, spring-amqp 3.1.5, spring-amqp 3.2.0"}