https://bugzilla.redhat.com/show_bug.cgi?id=1493502
Bug ID: 1493502 Summary: CVE-2017-8045 springframework-amqp: Message.toString() deserializes java without a whitelist Product: Security Response Component: vulnerability Keywords: Security Severity: high Priority: high Assignee: security-response-team@redhat.com Reporter: anemec@redhat.com CC: java-sig-commits@lists.fedoraproject.org, puntogil@libero.it
In affected versions of Spring AMQP, a org.springframework.amqp.core.Message may be unsafely deserialized when being converted into a string. A malicious payload could be crafted to exploit this and enable a remote code execution attack.
Upstream issue:
https://jira.spring.io/browse/AMQP-766
Upstream patch:
https://github.com/spring-projects/spring-amqp/commit/36e55998f6352ba3498be9...
References:
https://pivotal.io/security/cve-2017-8045