CVE-2020-5413

CRITICAL

Spring Integration - Deserialization

Title source: llm

Description

Spring Integration framework provides Kryo Codec implementations as an alternative for Java (de)serialization. When Kryo is configured with default options, all unregistered classes are resolved on demand. This leads to the "deserialization gadgets" exploit when provided data contains malicious code for execution during deserialization. In order to protect against this type of attack, Kryo can be configured to require a set of trusted classes for (de)serialization. Spring Integration should be proactive against blocking unknown "deserialization gadgets" when configuring Kryo in code.

References (5)

[Vendor Advisory] https://tanzu.vmware.com/security/cve-2020-5413

[Patch, Third Party Advisory] https://www.oracle.com//security-alerts/cpujul2021.html

[Patch, Third Party Advisory] https://www.oracle.com/security-alerts/cpuApr2021.html

[Patch, Third Party Advisory] https://www.oracle.com/security-alerts/cpuapr2022.html

[Patch, Third Party Advisory] https://www.oracle.com/security-alerts/cpuoct2021.html

Scores

CVSS v3 9.8

EPSS 0.0218

EPSS Percentile 84.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-502

Status published

Affected Products (18)

vmware/spring_integration < 4.3.22

oracle/banking_corporate_lending_process_management

oracle/banking_corporate_lending_process_management

oracle/banking_corporate_lending_process_management

oracle/banking_credit_facilities_process_management

oracle/banking_credit_facilities_process_management

oracle/banking_credit_facilities_process_management

oracle/banking_supply_chain_finance

oracle/banking_supply_chain_finance

oracle/banking_supply_chain_finance

oracle/banking_virtual_account_management

oracle/banking_virtual_account_management

oracle/banking_virtual_account_management

oracle/flexcube_private_banking

oracle/flexcube_private_banking

... and 3 more

Timeline

Published Jul 31, 2020

Tracked Since Feb 18, 2026