Upgrade RHEL:7 jbcs-httpd24-curl to version 0:8.2.1-1.el7jbcs or higher. This issue was patched in RHSA-2023:4629 .

org.springframework.batch:spring-batch-core 4.0.0.RELEASE vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.springframework.batch:spring-batch-core package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
M Insecure Defaults org.springframework.batch:spring-batch-core is a framework for writing offline and batch applications using Spring and Java. Affected versions of this package are vulnerable to Insecure Defaults. When configured to enable default typing, Jackson contained a deserialization vulnerability (https://github.com/FasterXML/jackson-databind/issues/1599) that could lead to arbitrary code execution. Jackson fixed this vulnerability by blacklisting known "deserialization gadgets". Spring Batch configures Jackson with global default typing enabled (https://github.com/FasterXML/jackson-docs/wiki/JacksonPolymorphicDeserialization#11-global-default-typing) which means that through the previous exploit, arbitrary code could be executed if all of the following is true: Spring Batch’s Jackson support is being leveraged to serialize a job’s ExecutionContext. A malicious user gains write access to the data store used by the JobRepository (where the data to be deserialized is stored). How to fix Insecure Defaults? Upgrade `org.springframework.batch:spring-batch-core` to version 4.2.3.RELEASE or higher.	[4.0.0.RELEASE,4.2.3.RELEASE)
C XML External Entity (XXE) Injection org.springframework.batch:spring-batch-core is a framework for writing offline and batch applications using Spring and Java. Affected versions of this package are vulnerable to XML External Entity (XXE) Injection when receiving XML data from untrusted sources. How to fix XML External Entity (XXE) Injection? Upgrade `org.springframework.batch:spring-batch-core` to version 4.1.1.RELEASE, 4.0.2.RELEASE, 3.0.10.RELEASE or higher.	[4.1.0.RELEASE,4.1.1.RELEASE)[4.0.0.RELEASE,4.0.2.RELEASE)[3.0.9.RELEASE,3.0.10.RELEASE)

Vulnerability

Vulnerable Version

Insecure Defaults

org.springframework.batch:spring-batch-core is a framework for writing offline and batch applications using Spring and Java.

Affected versions of this package are vulnerable to Insecure Defaults. When configured to enable default typing, Jackson contained a deserialization vulnerability (https://github.com/FasterXML/jackson-databind/issues/1599) that could lead to arbitrary code execution. Jackson fixed this vulnerability by blacklisting known "deserialization gadgets".

Spring Batch configures Jackson with global default typing enabled (https://github.com/FasterXML/jackson-docs/wiki/JacksonPolymorphicDeserialization#11-global-default-typing) which means that through the previous exploit, arbitrary code could be executed if all of the following is true:

Spring Batch’s Jackson support is being leveraged to serialize a job’s ExecutionContext.
A malicious user gains write access to the data store used by the JobRepository (where the data to be deserialized is stored).

How to fix Insecure Defaults?

Upgrade org.springframework.batch:spring-batch-core to version 4.2.3.RELEASE or higher.

[4.0.0.RELEASE,4.2.3.RELEASE)

XML External Entity (XXE) Injection

org.springframework.batch:spring-batch-core is a framework for writing offline and batch applications using Spring and Java.

Affected versions of this package are vulnerable to XML External Entity (XXE) Injection when receiving XML data from untrusted sources.

How to fix XML External Entity (XXE) Injection?

Upgrade org.springframework.batch:spring-batch-core to version 4.1.1.RELEASE, 4.0.2.RELEASE, 3.0.10.RELEASE or higher.

[4.1.0.RELEASE,4.1.1.RELEASE)[4.0.0.RELEASE,4.0.2.RELEASE)[3.0.9.RELEASE,3.0.10.RELEASE)

org.springframework.batch:spring-batch-core@4.0.0.RELEASE vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities

How to fix?