org.springframework.statemachine:spring-statemachine-data-mongodb@3.2.0

latest version

4.0.1

first published

9 years ago

latest version published

11 months ago

licenses detected

Apache-2.0
[1.2.0.RELEASE,)

package registry

View on Maven Central Repository

Go back to all versions of this package

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the org.springframework.statemachine:spring-statemachine-data-mongodb package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
H Deserialization of Untrusted Data Affected versions of this package are vulnerable to Deserialization of Untrusted Data. The Kryo-based persistence serializers (`KryoStateMachineSerialisationService` / `AbstractKryoStateMachineSerialisationService`) deserialise persisted state-machine contexts without enabling `Kryo.setRegistrationRequired(true)` or enforcing a class allowlist. This affects every persistence backend that round-trips the `StateMachineContext` through Kryo, namely the JPA, MongoDB, Redis and ZooKeeper persisters. An attacker who can write to or tamper with the persisted context store can supply a serialized payload referencing arbitrary classes, triggering a deserialization gadget chain that results in remote code execution inside the application JVM. Note: Exploitation requires the attacker to be able to control or modify the contents of the persistence store (database, Redis, MongoDB or ZooKeeper node) from which contexts are loaded. How to fix Deserialization of Untrusted Data? Upgrade `org.springframework.statemachine:spring-statemachine-data-mongodb` to version 4.0.2 or higher.	[,4.0.2)

Deserialization of Untrusted Data

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. The Kryo-based persistence serializers (KryoStateMachineSerialisationService / AbstractKryoStateMachineSerialisationService) deserialise persisted state-machine contexts without enabling Kryo.setRegistrationRequired(true) or enforcing a class allowlist. This affects every persistence backend that round-trips the StateMachineContext through Kryo, namely the JPA, MongoDB, Redis and ZooKeeper persisters. An attacker who can write to or tamper with the persisted context store can supply a serialized payload referencing arbitrary classes, triggering a deserialization gadget chain that results in remote code execution inside the application JVM.

Note:

Exploitation requires the attacker to be able to control or modify the contents of the persistence store (database, Redis, MongoDB or ZooKeeper node) from which contexts are loaded.

How to fix Deserialization of Untrusted Data?

Upgrade org.springframework.statemachine:spring-statemachine-data-mongodb to version 4.0.2 or higher.

[,4.0.2)

Go back to all versions of this package