org.springframework.batch:spring-batch-core@4.0.3.RELEASE vulnerabilities
-
latest version
5.1.1
-
latest non vulnerable version
-
first published
16 years ago
-
latest version published
3 months ago
-
licenses detected
- [0,)
-
package manager
Direct Vulnerabilities
Known vulnerabilities in the org.springframework.batch:spring-batch-core package. This does not include vulnerabilities belonging to this package’s dependencies.
Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.Vulnerability | Vulnerable Version |
---|---|
org.springframework.batch:spring-batch-core is a framework for writing offline and batch applications using Spring and Java. Affected versions of this package are vulnerable to Insecure Defaults. When configured to enable default typing, Jackson contained a deserialization vulnerability (https://github.com/FasterXML/jackson-databind/issues/1599) that could lead to arbitrary code execution. Jackson fixed this vulnerability by blacklisting known "deserialization gadgets". Spring Batch configures Jackson with global default typing enabled (https://github.com/FasterXML/jackson-docs/wiki/JacksonPolymorphicDeserialization#11-global-default-typing) which means that through the previous exploit, arbitrary code could be executed if all of the following is true:
How to fix Insecure Defaults? Upgrade |
[4.0.0.RELEASE,4.2.3.RELEASE)
|