CVE-2020-5411

Name of the Vulnerable Software and Affected Versions Spring Batch (affected versions not specified)

Description The issue concerns a deserialization vulnerability in Jackson that could lead to arbitrary code execution when default typing is enabled. This vulnerability can be exploited in Spring Batch if its Jackson support is used to serialize a job's ExecutionContext and a malicious user gains write access to the data store used by the JobRepository. The vulnerability is mitigated by Jackson's blacklisting of known "deserialization gadgets". However, to protect against unknown gadgets, proactive measures should be taken when enabling default typing.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.