A flaw was found in spring-batch before version 4.2.3. When configured to enable default typing, Jackson contained a deserialization vulnerability that was fixed y by blacklisting known "deserialization gadgets". Spring Batch configures Jackson with global default typing enabled which means that through the previously mentioned exploit, arbitrary code could be executed at certain conditions. References: https://tanzu.vmware.com/security/cve-2020-5411 Upstream issue: https://github.com/spring-projects/spring-batch/issues/3729
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-5411