CVE-2020-5413

CVE-2020-5413: Kryo Configuration Allows Code Execution with Unknown "Serialization Gadgets"

Vendor Spring By Vmware

Product Spring Integration

Weakness CWE-502 · Unsafe deserialization

Published July 31, 2020

Last update September 16, 2024

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

01Description

Spring Integration framework provides Kryo Codec implementations as an alternative for Java (de)serialization. When Kryo is configured with default options, all unregistered classes are resolved on demand. This leads to the "deserialization gadgets" exploit when provided data contains malicious code for execution during deserialization. In order to protect against this type of attack, Kryo can be configured to require a set of trusted classes for (de)serialization. Spring Integration should be proactive against blocking unknown "deserialization gadgets" when configuring Kryo in code.

Key dates

02Disclosure timeline

July 31, 2020 CVE published

September 16, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2020-5413 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/502.html

Related vulnerabilities

Identifiers

CVE CVE-2020-5413

CWE CWE-502

Affected versions

Vendor Spring By Vmware

Product Spring Integration

Affected ≥ 4.3 and < v4.3.23.RELEASE

Vendor Spring By Vmware

Product Spring Integration

Affected ≥ 5.1 and < v5.1.12.RELEASE

Vendor Spring By Vmware

Product Spring Integration

Affected ≥ 5.2 and < v5.2.8.RELEASE

Vendor Spring By Vmware

Product Spring Integration

Affected ≥ 5.3 and < v5.3.2.RELEASE

CVE-2020-5413: Kryo Configuration Allows Code Execution with Unknown "Serialization Gadgets"

01Description

02Disclosure timeline

03References

04Related CVE