CVE-2023-34050

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2023-34050

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-34050.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-34050

Published

2023-10-19T08:15:08.357Z

Modified

2026-03-14T12:07:27.821193Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVSS Calculator

Summary

[none]

Details

In spring AMQP versions 1.0.0 to 2.4.16 and 3.0.0 to 3.0.9 , allowed list patterns for deserializable class names were added to Spring AMQP, allowing users to lock down deserialization of data in messages from untrusted sources; however by default, when no allowed list was provided, all classes could be deserialized.

Specifically, an application is vulnerable if

the SimpleMessageConverter or SerializerMessageConverter is used
the user does not configure allowed list patterns
untrusted message originators gain permissions to write messages to the RabbitMQ broker to send malicious content

References

https://spring.io/security/cve-2023-34050

Affected packages

Git / github.com/spring-projects/spring-amqp

Affected ranges

Type

GIT

Repo

https://github.com/spring-projects/spring-amqp

Events

Introduced

8ae9f4fd5a1a90ad912a2aa1dce147f993202655

Fixed

b95c1e83a5075e792292e8e51623b8d888be5b84

Introduced

abdb4c0442df31944d794859724de1899d24963e

Fixed

ff7355c5d81335c3eae17960bbef076ac65b9994

Database specific

{
    "versions": [
        {
            "introduced": "1.0.0"
        },
        {
            "fixed": "2.4.16"
        },
        {
            "introduced": "3.0.0"
        },
        {
            "fixed": "3.0.9"
        }
    ]
}

Affected versions

v3.*

v3.0.0

v3.0.1

v3.0.2

v3.0.3

v3.0.4

v3.0.5

v3.0.6

v3.0.7

v3.0.8

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-34050.json"