CVE-2021-22097: Deserialization of Untrusted Data

October 28, 2021 (updated November 1, 2021)

The Spring AMQP Message object’s toString() method, will deserialize a body for a message with content type application/x-java-serialized-object. It is possible to construct a malicious java.util.Dictionary object that can cause 100% CPU usage in the application if the toString() method is called.

References

nvd.nist.gov/vuln/detail/CVE-2021-22097
tanzu.vmware.com/security/cve-2021-22097

Detect and mitigate CVE-2021-22097 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →