Spring Integration
Monthly
Path traversal in Spring Integration's FTP/SFTP/SMB inbound adapters allows a malicious or compromised remote file server to write attacker-controlled files outside the configured local directory on any client polling it, affecting versions 5.5.0-5.5.20, 6.3.0-6.3.14, 6.4.0-6.4.11, 6.5.0-6.5.8, and 7.0.0-7.0.4. The flaw inverts the usual trust model - the file-transfer client trusts the server's filename, enabling overwrite of arbitrary host files such as configuration, cron, or application JARs, which can escalate to code execution. No public exploit identified at time of analysis, but the issue is straightforward to weaponize once a hostile server endpoint is reachable.
Spring Integration framework provides Kryo Codec implementations as an alternative for Java (de)serialization. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.
Spring Integration (spring-integration-xml and spring-integration-ws modules), versions 4.3.18, 5.0.10, 5.1.1, and older unsupported versions, were susceptible to XML External Entity Injection (XXE). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.
Path traversal in Spring Integration's FTP/SFTP/SMB inbound adapters allows a malicious or compromised remote file server to write attacker-controlled files outside the configured local directory on any client polling it, affecting versions 5.5.0-5.5.20, 6.3.0-6.3.14, 6.4.0-6.4.11, 6.5.0-6.5.8, and 7.0.0-7.0.4. The flaw inverts the usual trust model - the file-transfer client trusts the server's filename, enabling overwrite of arbitrary host files such as configuration, cron, or application JARs, which can escalate to code execution. No public exploit identified at time of analysis, but the issue is straightforward to weaponize once a hostile server endpoint is reachable.
Spring Integration framework provides Kryo Codec implementations as an alternative for Java (de)serialization. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.
Spring Integration (spring-integration-xml and spring-integration-ws modules), versions 4.3.18, 5.0.10, 5.1.1, and older unsupported versions, were susceptible to XML External Entity Injection (XXE). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.