CVE-2023-34050

Name of the Vulnerable Software and Affected Versions Spring AMQP versions 1.0.0 through 2.4.16 Spring AMQP versions 3.0.0 through 3.0.9

Description The issue is related to shortcomings in the deserialization mechanism of the Spring AMQP RabbitMQ application. This could allow a remote attacker to gain unauthorized access to write messages in RabbitMQ. An application is vulnerable if it uses the SimpleMessageConverter or SerializerMessageConverter, the user does not configure allowed list patterns, and untrusted message originators gain permissions to write messages to the RabbitMQ broker to send malicious content.

Recommendations For Spring AMQP versions 1.0.0 through 2.4.16, update to version 2.4.17 or later. For Spring AMQP versions 3.0.0 through 3.0.9, update to version 3.0.10 or later. As a temporary workaround, consider configuring allowed list patterns for deserializable class names to restrict deserialization of data from untrusted sources. Restrict access to the RabbitMQ broker to prevent untrusted message originators from sending malicious content.