Description
In Spring AMQP versions 2.2.0 - 2.2.18 and 2.3.0 - 2.3.10, the Spring AMQP Message object, in its toString() method, will deserialize a body for a message with content type application/x-java-serialized-object. It is possible to construct a malicious java.util.Dictionary object that can cause 100% CPU usage in the application if the toString() method is called.
Remediation
References
https://tanzu.vmware.com/security/cve-2021-22097
Related Vulnerabilities
CVE-2017-10355 Vulnerability in maven package xerces:xercesimpl
CVE-2021-44548 Vulnerability in maven package org.apache.solr:solr-core
CVE-2018-1000408 Vulnerability in maven package org.jenkins-ci.main:jenkins-core
CVE-2022-43427 Vulnerability in maven package com.compuware.jenkins:compuware-topaz-for-total-test
CVE-2016-6816 Vulnerability in maven package org.apache.tomcat:tomcat-coyote