CVE-2020-5413

high-risk
Published 2020-07-31

Spring Integration framework provides Kryo Codec implementations as an alternative for Java (de)serialization. When Kryo is configured with default options, all unregistered classes are resolved on demand. This leads to the "deserialization gadgets" exploit when provided data contains malicious code for execution during deserialization. In order to protect against this type of attack, Kryo can be configured to require a set of trusted classes for (de)serialization. Spring Integration should be proactive against blocking unknown "deserialization gadgets" when configuring Kryo in code.

Do I need to act?

~
2.2% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (17)

Spring Integration

Affected Vendors

Oracle Vmware

References (10)

Vendor Advisory https://tanzu.vmware.com/security/cve-2020-5413
Patch https://www.oracle.com//security-alerts/cpujul2021.html
Patch https://www.oracle.com/security-alerts/cpuApr2021.html
Patch https://www.oracle.com/security-alerts/cpuapr2022.html
Patch https://www.oracle.com/security-alerts/cpuoct2021.html
Vendor Advisory https://tanzu.vmware.com/security/cve-2020-5413
Patch https://www.oracle.com//security-alerts/cpujul2021.html
Patch https://www.oracle.com/security-alerts/cpuApr2021.html
Patch https://www.oracle.com/security-alerts/cpuapr2022.html
Patch https://www.oracle.com/security-alerts/cpuoct2021.html
56
/ 100
high-risk
Severity 32/34 · Critical
Exploitability 5/34 · Minimal
Exposure 19/34 · Moderate