org.springframework.batch:spring-batch-core@4.0.3.RELEASE vulnerabilities

latest version

5.1.1
latest non vulnerable version

5.1.1
first published

16 years ago
latest version published

3 months ago
licenses detected
- Apache-2.0
  [0,)
package manager

View on Maven Repository

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the org.springframework.batch:spring-batch-core package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
M Insecure Defaults org.springframework.batch:spring-batch-core is a framework for writing offline and batch applications using Spring and Java. Affected versions of this package are vulnerable to Insecure Defaults. When configured to enable default typing, Jackson contained a deserialization vulnerability (https://github.com/FasterXML/jackson-databind/issues/1599) that could lead to arbitrary code execution. Jackson fixed this vulnerability by blacklisting known "deserialization gadgets". Spring Batch configures Jackson with global default typing enabled (https://github.com/FasterXML/jackson-docs/wiki/JacksonPolymorphicDeserialization#11-global-default-typing) which means that through the previous exploit, arbitrary code could be executed if all of the following is true: Spring Batch’s Jackson support is being leveraged to serialize a job’s ExecutionContext. A malicious user gains write access to the data store used by the JobRepository (where the data to be deserialized is stored). How to fix Insecure Defaults? Upgrade `org.springframework.batch:spring-batch-core` to version 4.2.3.RELEASE or higher.	[4.0.0.RELEASE,4.2.3.RELEASE)

Insecure Defaults

org.springframework.batch:spring-batch-core is a framework for writing offline and batch applications using Spring and Java.

Affected versions of this package are vulnerable to Insecure Defaults. When configured to enable default typing, Jackson contained a deserialization vulnerability (https://github.com/FasterXML/jackson-databind/issues/1599) that could lead to arbitrary code execution. Jackson fixed this vulnerability by blacklisting known "deserialization gadgets".

Spring Batch configures Jackson with global default typing enabled (https://github.com/FasterXML/jackson-docs/wiki/JacksonPolymorphicDeserialization#11-global-default-typing) which means that through the previous exploit, arbitrary code could be executed if all of the following is true:

Spring Batch’s Jackson support is being leveraged to serialize a job’s ExecutionContext.
A malicious user gains write access to the data store used by the JobRepository (where the data to be deserialized is stored).

How to fix Insecure Defaults?

Upgrade org.springframework.batch:spring-batch-core to version 4.2.3.RELEASE or higher.

[4.0.0.RELEASE,4.2.3.RELEASE)

Go back to all versions of this package

org.springframework.batch:spring-batch-core@4.0.3.RELEASE vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities