{
  "threat_severity" : "Moderate",
  "public_date" : "2023-10-19T00:00:00Z",
  "bugzilla" : {
    "description" : "springframework-amqp: Deserialization Vulnerability",
    "id" : "2246065",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2246065"
  },
  "cvss3" : {
    "cvss3_base_score" : "4.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-502",
  "details" : [ "In spring AMQP versions 1.0.0 to\n2.4.16 and 3.0.0 to 3.0.9 , allowed list patterns for deserializable class\nnames were added to Spring AMQP, allowing users to lock down deserialization of\ndata in messages from untrusted sources; however by default, when no allowed\nlist was provided, all classes could be deserialized.\nSpecifically, an application is\nvulnerable if\n*  the\nSimpleMessageConverter or SerializerMessageConverter is used\n*  the user\ndoes not configure allowed list patterns\n*  untrusted\nmessage originators gain permissions to write messages to the RabbitMQ\nbroker to send malicious content", "A flaw was found in Spring Framework AMQP. An allowed list exists in Spring AMQP, but when no allowed list is provided, all classes could be deserialized, allowing a malicious user to send harmful content to the broker." ],
  "statement" : "This flaw requires previous knowledge and access to the messages in order to get them deserialized and possibly leak information. It also requires missing server side configurations to prevent unwanted behavior. Therefore, this is rated as a Moderate impact.",
  "affected_release" : [ {
    "product_name" : "Red Hat AMQ Clients",
    "release_date" : "2023-12-07T00:00:00Z",
    "advisory" : "RHSA-2023:7697",
    "cpe" : "cpe:/a:redhat:amq_clients:2023_q4",
    "package" : "org.amqphub.spring-amqp-10-jms-spring-boot-parent"
  } ],
  "package_state" : [ {
    "product_name" : "A-MQ Clients 2",
    "fix_state" : "Affected",
    "package_name" : "org.amqphub.spring-amqp-10-jms-spring-boot-parent",
    "cpe" : "cpe:/a:redhat:a_mq_clients:2"
  }, {
    "product_name" : "A-MQ Clients 2",
    "fix_state" : "Not affected",
    "package_name" : "org.apache.logging.log4j-log4j",
    "cpe" : "cpe:/a:redhat:a_mq_clients:2"
  }, {
    "product_name" : "Red Hat build of Apache Camel for Spring Boot 3",
    "fix_state" : "Will not fix",
    "package_name" : "spring-amqp",
    "cpe" : "cpe:/a:redhat:camel_spring_boot:3"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "log4j",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-34050\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-34050\nhttps://spring.io/security/cve-2023-34050" ],
  "name" : "CVE-2023-34050",
  "mitigation" : {
    "value" : "An application may be vulnerable if:\n- The SimpleMessageConverter or SerializerMessageConverter is used \n- The user does not configure allowed list patterns \n- Untrusted message originators gain permissions to write messages to the RabbitMQ broker to send malicious content\nMake sure these are avoided in order to mitigate the issue.",
    "lang" : "en:us"
  },
  "csaw" : false
}