Description
Severity : Sonatype CVSS 3: 9.8CVE CVSS 2.0: 0.0
Weakness : Sonatype CWE: 470
Source : Sonatype Data Research
Explanation : The spring-beans package is vulnerable to Remote Code Execution [RCE]. The constructor method in the CachedIntrospectionResults class allows the loading of arbitrary classes. A remote attacker can exploit this vulnerability to upload a malicious class and ultimately result in RCE.
This issue is due to an insufficient fix for CVE-2010-1622.
:We are still investigating other avenues of attack but out of an abundance of caution, and media attention, are releasing this advisory now.
Detection : The application is vulnerable by using this component, if using Java version 9 or above.
Mitigation: Upgrade spring version to latest available.
Attachments
Issue Links
- is duplicated by
-
AMQ-8565 Upgrade to Spring 5.3.18
- Resolved