The class org.springframework.core.serializer.DefaultDeserializer does not validate the deserialized object against a whitelist. By supplying a crafted serialized object like Chris Frohoff's Commons Collection gadget, remote code execution can be achieved.
1.0.0 to 1.5.4
Spring by Pivotal
- Maven 3.x+
- Java 1.7+
- [RabbitMQ](https://www.rabbitmq.com/download.htm)
- mvn eclipse:eclipse
- import project
- run project (App)