Spring Statemachine's Kryo-based persistence backends (JPA, MongoDB, Redis and ZooKeeper) deserialise persisted state-machine contexts without enforcing a class allowlist (CWE-502, deserialisation of untrusted data), which can lead to remote code execution inside the application JVM.
Affected versions:
Spring Statemachine 4.0.0 through 4.0.1
Spring Statemachine 3.2.0 through 3.2.4
Description: CWE-502: Deserialization of Untrusted Data
Metrics
Version
Base score
Base severity
Vector
3.1
8.8
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Version:3.1
Base score:8.8
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC ID
Description
N/A
An attacker who can write to a Kryo-backed state-machine persistence store can achieve remote code execution inside the application JVM with high impact on confidentiality, integrity, and availability.
CAPEC ID: N/A
Description: An attacker who can write to a Kryo-backed state-machine persistence store can achieve remote code execution inside the application JVM with high impact on confidentiality, integrity, and availability.