Deserialization in Oracle Banking_corporate_lending_process_management
CVE-2020-5413
Spring Integration framework provides Kryo Codec implementations as an alternative for Java (de)serialization. When Kryo is configured with default options, all unregistered classes are resolved on demand. This leads to the "deserializatio…
Vulnerability class: Insecure Deserialization
EPSS: 0.044 (90.1th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 9.8 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.
Affected products
- Oracle Banking_corporate_lending_process_management — versions 14.2.0, 14.3.0, 14.5.0
- Oracle Banking_credit_facilities_process_management — versions 14.2.0, 14.3.0, 14.5.0
- Oracle Banking_supply_chain_finance — versions 14.2.0, 14.3.0, 14.5.0
- Oracle Banking_virtual_account_management — versions 14.2.0, 14.3.0, 14.5.0
- Oracle Flexcube_private_banking — versions 12.0.0, 12.1.0
- Oracle Retail_customer_management_and_segmentation_foundation
- Oracle Retail_merchandising_system — versions 16.0.3
- Spring By Vmware Integration — versions 4.3, 5.1, 5.2
- Vmware Spring_integration
Weakness classification (CWE)
Public proof-of-concept exploits
References
- security@pivotal.io (x_refsource_CONFIRM, Vendor Advisory)
- security@pivotal.io (Patch, Third Party Advisory, x_refsource_MISC)
- security@pivotal.io (Patch, Third Party Advisory, x_refsource_MISC)
- security@pivotal.io (Patch, Third Party Advisory, x_refsource_MISC)
- security@pivotal.io (Patch, Third Party Advisory, x_refsource_MISC)
Frequently asked questions
- What is CVE-2020-5413?
- CVE-2020-5413 is a critical-severity vulnerability in Oracle Banking_corporate_lending_process_management, classified under Deserialization of Untrusted Data. CVSS score: 9.8/10. Published 2020-07-31.
- How severe is CVE-2020-5413?
- Critical severity. CVSS v3 base score is 9.8 out of 10.
- Is CVE-2020-5413 known to be exploited?
- 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.