What is CVE-2023-34050?

CVE-2023-34050 is a vulnerability in Spring AMQP versions 1.0.0 to 2.4.16 and 3.0.0 to 3.0.9 that allows deserialization of data from untrusted sources.

How does CVE-2023-34050 affect VMware Spring Advanced Message Queuing Protocol?

CVE-2023-34050 affects VMware Spring Advanced Message Queuing Protocol versions 1.0.0 to 2.4.16 and 3.0.0 to 3.0.9.

What is the severity of CVE-2023-34050?

The severity of CVE-2023-34050 is medium with a CVSS score of 5.

How can I fix CVE-2023-34050?

To fix CVE-2023-34050, upgrade to a patched version of Spring AMQP (2.4.17 or 3.0.10 or higher) or apply the recommended security patches.

Where can I find more information about CVE-2023-34050?

More information about CVE-2023-34050 can be found at the following reference: [CVE-2023-34050](https://spring.io/security/cve-2023-34050).

Vulnerability/
CVE-2023-34050

medium

CWE

502

19/10/2023

12/9/2024

CVE-2023-34050: Spring AMQP Deserialization Vulnerability

First published: Thu Oct 19 2023(Updated: )

In spring AMQP versions 1.0.0 to 2.4.16 and 3.0.0 to 3.0.9 , allowed list patterns for deserializable class names were added to Spring AMQP, allowing users to lock down deserialization of data in messages from untrusted sources; however by default, when no allowed list was provided, all classes could be deserialized. Specifically, an application is vulnerable if * the SimpleMessageConverter or SerializerMessageConverter is used * the user does not configure allowed list patterns * untrusted message originators gain permissions to write messages to the RabbitMQ broker to send malicious content

Credit: security@vmware.com security@vmware.com

Affected Software	Affected Version	How to fix
Vmware Spring Advanced Message Queuing Protocol	>=1.0.0<2.4.16
Vmware Spring Advanced Message Queuing Protocol	>=3.0.0<3.0.9
redhat/spring-amqp	<2.7.17	2.7.17
redhat/spring-amqp	<3.0.12	3.0.12
redhat/spring-amqp	<3.1.5	3.1.5
redhat/spring-amqp	<3.2.0	3.2.0

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2023-34050?
CVE-2023-34050 is a vulnerability in Spring AMQP versions 1.0.0 to 2.4.16 and 3.0.0 to 3.0.9 that allows deserialization of data from untrusted sources.
How does CVE-2023-34050 affect VMware Spring Advanced Message Queuing Protocol?
CVE-2023-34050 affects VMware Spring Advanced Message Queuing Protocol versions 1.0.0 to 2.4.16 and 3.0.0 to 3.0.9.
What is the severity of CVE-2023-34050?
The severity of CVE-2023-34050 is medium with a CVSS score of 5.
How can I fix CVE-2023-34050?
To fix CVE-2023-34050, upgrade to a patched version of Spring AMQP (2.4.17 or 3.0.10 or higher) or apply the recommended security patches.
Where can I find more information about CVE-2023-34050?
More information about CVE-2023-34050 can be found at the following reference: [CVE-2023-34050](https://spring.io/security/cve-2023-34050).

collector/nvd-index
collector/nvd-api
agent/author
agent/type
agent/softwarecombine
agent/references
agent/weakness
agent/description
collector/redhat-bugzilla
source/Red Hat
alias/CVE-2023-34050
agent/software-canonical-lookup
collector/mitre-cve
source/MITRE
agent/title
agent/severity
agent/tags
agent/last-modified-date
agent/first-publish-date
agent/event
vendor/vmware
canonical/vmware spring advanced message queuing protocol
version/vmware spring advanced message queuing protocol/1.0.0
version/vmware spring advanced message queuing protocol/3.0.0
package-manager/redhat

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.