CVE-2023-34040

CVSS 3.1 Score 7.8 of 10 (high)

Details

Published Aug 24, 2023
Updated: Oct 18, 2023
CWE ID 502

Summary

CVE-2023-34040 is a deserialization vulnerability affecting Spring for Apache Kafka versions 3.0.9 and earlier, as well as 2.9.10 and earlier. This issue arises when specific configuration settings are applied, allowing an attacker to construct malicious serialized objects in deserialization exception record headers. For vulnerability exploitation, these conditions must be met: the user does not configure an ErrorHandlingDeserializer for the key and/or value, the user sets checkDeserExWhenKeyNull and/or checkDeserExWhenValueNull container properties to true, and untrusted sources are permitted to publish to a Kafka topic. By default, these properties are false, and the container deserializes headers only if an ErrorHandlingDeserializer is configured. The ErrorHandlingDeserializer mitigates the risk by eliminating any suspect headers before processing the record.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share