fkie_nvd - fkie_cve-2017-8045

fkie_cve-2017-8045

Vulnerability from fkie_nvd

Published

2017-11-27 10:29

Modified

2025-04-20 01:37

Severity ?

9.8 (Critical) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

In Pivotal Spring AMQP versions prior to 1.7.4, 1.6.11, and 1.5.7, an org.springframework.amqp.core.Message may be unsafely deserialized when being converted into a string. A malicious payload could be crafted to exploit this and enable a remote code execution attack.

References

URL	Tags
security_alert@emc.com	http://www.securityfocus.com/bid/100936	Third Party Advisory, VDB Entry
security_alert@emc.com	https://pivotal.io/security/cve-2017-8045	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/100936	Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	https://pivotal.io/security/cve-2017-8045	Vendor Advisory

Impacted products

Vendor	Product	Version
pivotal_software	spring_advanced_message_queuing_protocol	1.5.0
pivotal_software	spring_advanced_message_queuing_protocol	1.5.0
pivotal_software	spring_advanced_message_queuing_protocol	1.5.0
pivotal_software	spring_advanced_message_queuing_protocol	1.5.1
pivotal_software	spring_advanced_message_queuing_protocol	1.5.2
pivotal_software	spring_advanced_message_queuing_protocol	1.5.3
pivotal_software	spring_advanced_message_queuing_protocol	1.5.4
pivotal_software	spring_advanced_message_queuing_protocol	1.5.5
pivotal_software	spring_advanced_message_queuing_protocol	1.5.6
pivotal_software	spring_advanced_message_queuing_protocol	1.6.0
pivotal_software	spring_advanced_message_queuing_protocol	1.6.0
pivotal_software	spring_advanced_message_queuing_protocol	1.6.0
pivotal_software	spring_advanced_message_queuing_protocol	1.6.0
pivotal_software	spring_advanced_message_queuing_protocol	1.6.1
pivotal_software	spring_advanced_message_queuing_protocol	1.6.2
pivotal_software	spring_advanced_message_queuing_protocol	1.6.3
pivotal_software	spring_advanced_message_queuing_protocol	1.6.4
pivotal_software	spring_advanced_message_queuing_protocol	1.6.5
pivotal_software	spring_advanced_message_queuing_protocol	1.6.6
pivotal_software	spring_advanced_message_queuing_protocol	1.6.7
pivotal_software	spring_advanced_message_queuing_protocol	1.6.8
pivotal_software	spring_advanced_message_queuing_protocol	1.6.9
pivotal_software	spring_advanced_message_queuing_protocol	1.6.10
pivotal_software	spring_advanced_message_queuing_protocol	1.7.0
pivotal_software	spring_advanced_message_queuing_protocol	1.7.1
pivotal_software	spring_advanced_message_queuing_protocol	1.7.2
pivotal_software	spring_advanced_message_queuing_protocol	1.7.3

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:pivotal_software:spring_advanced_message_queuing_protocol:1.5.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "8ACFBB63-5DF2-4CFE-9F37-B4F91BAF210C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:pivotal_software:spring_advanced_message_queuing_protocol:1.5.0:m1:*:*:*:*:*:*",
              "matchCriteriaId": "FD0434AC-A22B-410C-BD47-5416ED236D6B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:pivotal_software:spring_advanced_message_queuing_protocol:1.5.0:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "01C1A0C8-5881-4D45-9BAE-47342892610D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:pivotal_software:spring_advanced_message_queuing_protocol:1.5.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "BFE1950B-E677-4B62-80D6-DAD8AA90D74B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:pivotal_software:spring_advanced_message_queuing_protocol:1.5.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "56444AA0-79FF-4E96-A06A-5DE099D26F03",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:pivotal_software:spring_advanced_message_queuing_protocol:1.5.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "06313540-F311-4F45-BD93-A318D0773354",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:pivotal_software:spring_advanced_message_queuing_protocol:1.5.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "CF8111C7-D43F-4CE3-AD94-7A0A09036E32",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:pivotal_software:spring_advanced_message_queuing_protocol:1.5.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "1C49EC65-236E-4831-A8C0-9AEF1B308ABC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:pivotal_software:spring_advanced_message_queuing_protocol:1.5.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "176DD4C4-21E3-4E17-AE78-298325AE7FB5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:pivotal_software:spring_advanced_message_queuing_protocol:1.6.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "70A38607-63FD-4270-9BCC-EFCCEDDD4496",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:pivotal_software:spring_advanced_message_queuing_protocol:1.6.0:m1:*:*:*:*:*:*",
              "matchCriteriaId": "3B334BA4-4CBA-48A0-B347-3E23FA003DB7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:pivotal_software:spring_advanced_message_queuing_protocol:1.6.0:m2:*:*:*:*:*:*",
              "matchCriteriaId": "64170B60-0D44-4F98-B57F-9A2A05E62ADA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:pivotal_software:spring_advanced_message_queuing_protocol:1.6.0:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "6B6643CB-F480-462C-9C54-4F2D9F78ADD6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:pivotal_software:spring_advanced_message_queuing_protocol:1.6.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "EC9B6464-C6E5-4944-8745-02605C068D0A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:pivotal_software:spring_advanced_message_queuing_protocol:1.6.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "4C88C739-8DBC-4719-B0FD-A18FA598184B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:pivotal_software:spring_advanced_message_queuing_protocol:1.6.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "485FE522-130B-49EB-A84F-E30E70D866FD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:pivotal_software:spring_advanced_message_queuing_protocol:1.6.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "D636C03C-420A-4997-9C01-2019EF481AD5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:pivotal_software:spring_advanced_message_queuing_protocol:1.6.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "7E00506B-2BE4-48D6-8E7C-4A719521FC98",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:pivotal_software:spring_advanced_message_queuing_protocol:1.6.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "CC55C720-3B3B-456E-9E03-BE2BEB85C211",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:pivotal_software:spring_advanced_message_queuing_protocol:1.6.7:*:*:*:*:*:*:*",
              "matchCriteriaId": "05C87474-4BC3-4EDE-B54D-B91154826224",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:pivotal_software:spring_advanced_message_queuing_protocol:1.6.8:*:*:*:*:*:*:*",
              "matchCriteriaId": "EA632EBE-06AA-4A6E-A1DF-5C71F88A3EC4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:pivotal_software:spring_advanced_message_queuing_protocol:1.6.9:*:*:*:*:*:*:*",
              "matchCriteriaId": "5FAA749F-46DF-4176-ABF0-904F8F506FCD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:pivotal_software:spring_advanced_message_queuing_protocol:1.6.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "3DBB0442-EE82-4AEA-B370-58AFFA2656DA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:pivotal_software:spring_advanced_message_queuing_protocol:1.7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "4138AE8A-DA42-404F-A5FA-5B99891B0A54",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:pivotal_software:spring_advanced_message_queuing_protocol:1.7.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "DBDF3851-F41B-473E-BDBE-3F45A476ECAC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:pivotal_software:spring_advanced_message_queuing_protocol:1.7.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "0BCC4621-0BF1-4869-AC68-AA14B645458B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:pivotal_software:spring_advanced_message_queuing_protocol:1.7.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "24E48B94-9D63-47CB-BB04-DC4DCC19950B",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In Pivotal Spring AMQP versions prior to 1.7.4, 1.6.11, and 1.5.7, an org.springframework.amqp.core.Message may be unsafely deserialized when being converted into a string. A malicious payload could be crafted to exploit this and enable a remote code execution attack."
    },
    {
      "lang": "es",
      "value": "En Pivotal Spring AMQP, en versiones anteriores a la 1.7.4, 1.6.11 y 1.5.7, org.springframework.amqp.core.Message podr\u00eda deserializarse de forma insegura al convertirse en cadena. Una carga \u00fatil maliciosa podr\u00eda manipularse para explotar esto y permitir un ataque de ejecuci\u00f3n remota de c\u00f3digo."
    }
  ],
  "id": "CVE-2017-8045",
  "lastModified": "2025-04-20T01:37:25.860",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 7.5,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2017-11-27T10:29:00.907",
  "references": [
    {
      "source": "security_alert@emc.com",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/100936"
    },
    {
      "source": "security_alert@emc.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://pivotal.io/security/cve-2017-8045"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/100936"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://pivotal.io/security/cve-2017-8045"
    }
  ],
  "sourceIdentifier": "security_alert@emc.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-502"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

CVE-2017-8045 (GCVE-0-2017-8045)

Vulnerability from cvelistv5

Published

2017-11-27 10:00