CVE-2017-8045

Published Nov 27, 2017

Last updated 25 days ago

CVSS critical 9.8

Overview

Description: In Pivotal Spring AMQP versions prior to 1.7.4, 1.6.11, and 1.5.7, an org.springframework.amqp.core.Message may be unsafely deserialized when being converted into a string. A malicious payload could be crafted to exploit this and enable a remote code execution attack.
Source: security_alert@emc.com
NVD status: Deferred

Risk scores

CVSS 3.0

Type: Primary
Base score: 9.8
Impact score: 5.9
Exploitability score: 3.9
Vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity: CRITICAL

CVSS 2.0

Type: Primary
Base score: 7.5
Impact score: 6.4
Exploitability score: 10
Vector string: AV:N/AC:L/Au:N/C:P/I:P/A:P

Weaknesses

nvd@nist.gov: CWE-502

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:pivotal_software:spring_advanced_message_queuing_protocol:1.5.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "8ACFBB63-5DF2-4CFE-9F37-B4F91BAF210C"
          },
          {
            "criteria": "cpe:2.3:a:pivotal_software:spring_advanced_message_queuing_protocol:1.5.0:m1:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "FD0434AC-A22B-410C-BD47-5416ED236D6B"
          },
          {
            "criteria": "cpe:2.3:a:pivotal_software:spring_advanced_message_queuing_protocol:1.5.0:rc1:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "01C1A0C8-5881-4D45-9BAE-47342892610D"
          },
          {
            "criteria": "cpe:2.3:a:pivotal_software:spring_advanced_message_queuing_protocol:1.5.1:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "BFE1950B-E677-4B62-80D6-DAD8AA90D74B"
          },
          {
            "criteria": "cpe:2.3:a:pivotal_software:spring_advanced_message_queuing_protocol:1.5.2:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "56444AA0-79FF-4E96-A06A-5DE099D26F03"
          },
          {
            "criteria": "cpe:2.3:a:pivotal_software:spring_advanced_message_queuing_protocol:1.5.3:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "06313540-F311-4F45-BD93-A318D0773354"
          },
          {
            "criteria": "cpe:2.3:a:pivotal_software:spring_advanced_message_queuing_protocol:1.5.4:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "CF8111C7-D43F-4CE3-AD94-7A0A09036E32"
          },
          {
            "criteria": "cpe:2.3:a:pivotal_software:spring_advanced_message_queuing_protocol:1.5.5:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "1C49EC65-236E-4831-A8C0-9AEF1B308ABC"
          },
          {
            "criteria": "cpe:2.3:a:pivotal_software:spring_advanced_message_queuing_protocol:1.5.6:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "176DD4C4-21E3-4E17-AE78-298325AE7FB5"
          },
          {
            "criteria": "cpe:2.3:a:pivotal_software:spring_advanced_message_queuing_protocol:1.6.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "70A38607-63FD-4270-9BCC-EFCCEDDD4496"
          },
          {
            "criteria": "cpe:2.3:a:pivotal_software:spring_advanced_message_queuing_protocol:1.6.0:m1:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "3B334BA4-4CBA-48A0-B347-3E23FA003DB7"
          },
          {
            "criteria": "cpe:2.3:a:pivotal_software:spring_advanced_message_queuing_protocol:1.6.0:m2:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "64170B60-0D44-4F98-B57F-9A2A05E62ADA"
          },
          {
            "criteria": "cpe:2.3:a:pivotal_software:spring_advanced_message_queuing_protocol:1.6.0:rc1:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "6B6643CB-F480-462C-9C54-4F2D9F78ADD6"
          },
          {
            "criteria": "cpe:2.3:a:pivotal_software:spring_advanced_message_queuing_protocol:1.6.1:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "EC9B6464-C6E5-4944-8745-02605C068D0A"
          },
          {
            "criteria": "cpe:2.3:a:pivotal_software:spring_advanced_message_queuing_protocol:1.6.2:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "4C88C739-8DBC-4719-B0FD-A18FA598184B"
          },
          {
            "criteria": "cpe:2.3:a:pivotal_software:spring_advanced_message_queuing_protocol:1.6.3:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "485FE522-130B-49EB-A84F-E30E70D866FD"
          },
          {
            "criteria": "cpe:2.3:a:pivotal_software:spring_advanced_message_queuing_protocol:1.6.4:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "D636C03C-420A-4997-9C01-2019EF481AD5"
          },
          {
            "criteria": "cpe:2.3:a:pivotal_software:spring_advanced_message_queuing_protocol:1.6.5:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "7E00506B-2BE4-48D6-8E7C-4A719521FC98"
          },
          {
            "criteria": "cpe:2.3:a:pivotal_software:spring_advanced_message_queuing_protocol:1.6.6:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "CC55C720-3B3B-456E-9E03-BE2BEB85C211"
          },
          {
            "criteria": "cpe:2.3:a:pivotal_software:spring_advanced_message_queuing_protocol:1.6.7:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "05C87474-4BC3-4EDE-B54D-B91154826224"
          },
          {
            "criteria": "cpe:2.3:a:pivotal_software:spring_advanced_message_queuing_protocol:1.6.8:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "EA632EBE-06AA-4A6E-A1DF-5C71F88A3EC4"
          },
          {
            "criteria": "cpe:2.3:a:pivotal_software:spring_advanced_message_queuing_protocol:1.6.9:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "5FAA749F-46DF-4176-ABF0-904F8F506FCD"
          },
          {
            "criteria": "cpe:2.3:a:pivotal_software:spring_advanced_message_queuing_protocol:1.6.10:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "3DBB0442-EE82-4AEA-B370-58AFFA2656DA"
          },
          {
            "criteria": "cpe:2.3:a:pivotal_software:spring_advanced_message_queuing_protocol:1.7.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "4138AE8A-DA42-404F-A5FA-5B99891B0A54"
          },
          {
            "criteria": "cpe:2.3:a:pivotal_software:spring_advanced_message_queuing_protocol:1.7.1:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "DBDF3851-F41B-473E-BDBE-3F45A476ECAC"
          },
          {
            "criteria": "cpe:2.3:a:pivotal_software:spring_advanced_message_queuing_protocol:1.7.2:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "0BCC4621-0BF1-4869-AC68-AA14B645458B"
          },
          {
            "criteria": "cpe:2.3:a:pivotal_software:spring_advanced_message_queuing_protocol:1.7.3:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "24E48B94-9D63-47CB-BB04-DC4DCC19950B"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

References

Sources include official advisories and independent security research.

Overview

Risk scores

CVSS 3.0

CVSS 2.0

Weaknesses

Social media

Configurations

References