CVE-2020-5413

Name of the Vulnerable Software and Affected Versions: Spring Integration framework (affected versions not specified)

Description: The issue is related to the Kryo Codec implementations in the Spring Integration framework, which can lead to a deserialization exploit when configured with default options. This allows an attacker to execute malicious code during deserialization if the provided data contains such code. The problem arises from the resolution of unregistered classes on demand. To protect against this, configuring Kryo to require a set of trusted classes for deserialization is recommended. The vulnerability can be exploited by a remote attacker to execute arbitrary code.

Recommendations: For all affected versions of the Spring Integration framework, configure Kryo to use a set of trusted classes for deserialization to prevent the execution of malicious code. As a temporary workaround, consider restricting the use of the Kryo Codec implementations until a more secure configuration can be applied. At the moment, there is no information about a newer version that contains a fix for this vulnerability.