CVE-2023-34050

<br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> In spring AMQP versions 1.0.0 to<br /> 2.4.16 and 3.0.0 to 3.0.9 , allowed list patterns for deserializable class<br /> names were added to Spring AMQP, allowing users to lock down deserialization of<br /> data in messages from untrusted sources; however by default, when no allowed<br /> list was provided, all classes could be deserialized.<br /> <br /> <br /> <br /> Specifically, an application is<br /> vulnerable if<br /> <br /> <br /> <br /> <br /> * the<br /> SimpleMessageConverter or SerializerMessageConverter is used<br /> <br /> * the user<br /> does not configure allowed list patterns<br /> <br /> * untrusted<br /> message originators gain permissions to write messages to the RabbitMQ<br /> broker to send malicious content<br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br />