Description
Spring Integration framework provides Kryo Codec implementations as an alternative for Java (de)serialization. When Kryo is configured with default options, all unregistered classes are resolved on demand. This leads to the "deserialization gadgets" exploit when provided data contains malicious code for execution during deserialization. In order to protect against this type of attack, Kryo can be configured to require a set of trusted classes for (de)serialization. Spring Integration should be proactive against blocking unknown "deserialization gadgets" when configuring Kryo in code.
References (5)
Core 5
Core References
Vendor Advisory x_refsource_confirm
https://tanzu.vmware.com/security/cve-2020-5413
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuApr2021.html
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com//security-alerts/cpujul2021.html
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuoct2021.html
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuapr2022.html
Scores
CVSS v3
9.8
EPSS
0.0218
EPSS Percentile
84.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-502
Status
published
Products (18)
oracle/banking_corporate_lending_process_management
14.2.0
oracle/banking_corporate_lending_process_management
14.3.0
oracle/banking_corporate_lending_process_management
14.5.0
oracle/banking_credit_facilities_process_management
14.2.0
oracle/banking_credit_facilities_process_management
14.3.0
oracle/banking_credit_facilities_process_management
14.5.0
oracle/banking_supply_chain_finance
14.2.0
oracle/banking_supply_chain_finance
14.3.0
oracle/banking_supply_chain_finance
14.5.0
oracle/banking_virtual_account_management
14.2.0
... and 8 more
Published
Jul 31, 2020
Tracked Since
Feb 18, 2026