CVE-2017-8045
CRITICALSpring Advanced Message Queuing Protocol < 1.7.4 - Remote Code Execution via Unsafe Message Deserialization
Title source: llmDescription
In Pivotal Spring AMQP versions prior to 1.7.4, 1.6.11, and 1.5.7, an org.springframework.amqp.core.Message may be unsafely deserialized when being converted into a string. A malicious payload could be crafted to exploit this and enable a remote code execution attack.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://pivotal.io/security/cve-2017-8045
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/100936
Scores
CVSS v3
9.8
EPSS
0.0355
EPSS Percentile
87.9%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-502
Status
published
Products (24)
n/a/Spring AMQP Spring AMQP versions prior to 1.7.4, 1.6.11, and 1.5.7
Spring AMQP Spring AMQP versions prior to 1.7.4, 1.6.11, and 1.5.7
org.springframework.amqp/spring-amqp
0 - 1.5.7Maven
pivotal_software/spring_advanced_message_queuing_protocol
1.5.0 (3 CPE variants)
pivotal_software/spring_advanced_message_queuing_protocol
1.5.1
pivotal_software/spring_advanced_message_queuing_protocol
1.5.2
pivotal_software/spring_advanced_message_queuing_protocol
1.5.3
pivotal_software/spring_advanced_message_queuing_protocol
1.5.4
pivotal_software/spring_advanced_message_queuing_protocol
1.5.5
pivotal_software/spring_advanced_message_queuing_protocol
1.5.6
pivotal_software/spring_advanced_message_queuing_protocol
1.6.0 (4 CPE variants)
... and 14 more
Published
Nov 27, 2017
Tracked Since
Feb 18, 2026