CVE-2017-8045: Remote code execution in spring-amqp
Spring by Pivotal
In affected versions of Spring AMQP, a
org.springframework.amqp.core.Message may be unsafely deserialized when being converted into a string. A malicious payload could be crafted to exploit this and enable a remote code execution attack.
Affected VMware Products and Versions
Severity is high unless otherwise noted.
- Spring AMQP versions prior to 1.7.4, 1.6.11, and 1.5.7
Users of affected versions should apply the following mitigation:
- Releases that have fixed this issue include:
- Spring AMQP: 2.0.0, 1.7.4, 1.6.11, 1.5.7
This vulnerability was responsibly reported by Man Yue Mo from Semmle and lgtm.com.
2017-09-19: Initial vulnerability report published