CRITICAL 9.8 Maven
Pivotal Spring Framework contains unsafe Java deserialization methods
GHSA-4wrc-f8pq-fpqp · CVE-2016-1000027
Published · Modified
Description
Pivotal Spring Framework before 6.0.0 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required.
Maintainers recommend investigating alternative components or a potential mitigating control. Version 4.2.6 and 3.2.17 contain enhanced documentation advising users to take precautions against unsafe Java deserialization, version 5.3.0 deprecate the impacted classes and version 6.0.0 removed it entirely.
References
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2016-1000027
- WEB https://github.com/spring-projects/spring-framework/issues/21680
- WEB https://github.com/spring-projects/spring-framework/issues/24434
- WEB https://github.com/spring-projects/spring-framework/issues/24434#issuecomment-1231625331
- WEB https://github.com/spring-projects/spring-framework/issues/24434#issuecomment-579669626
- WEB https://github.com/spring-projects/spring-framework/issues/24434#issuecomment-582313417
- WEB https://github.com/spring-projects/spring-framework/issues/24434#issuecomment-744519525
- WEB https://github.com/spring-projects/spring-framework/commit/2b051b8b321768a4cfef83077db65c6328ffd60f
- WEB https://github.com/spring-projects/spring-framework/commit/5cbe90b2cd91b866a5a9586e460f311860e11cfa
- WEB https://www.tenable.com/security/research/tra-2016-20
- WEB https://support.contrastsecurity.com/hc/en-us/articles/4402400830612-Spring-web-Java-Deserialization-CVE-2016-1000027
- WEB https://spring.io/blog/2022/05/11/spring-framework-5-3-20-and-5-2-22-available-now
- WEB https://security.netapp.com/advisory/ntap-20230420-0009
- WEB https://security-tracker.debian.org/tracker/CVE-2016-1000027
- WEB https://jira.spring.io/browse/SPR-17143?redirect=false
- PACKAGE https://github.com/spring-projects/spring-framework
- WEB https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-1000027
Ready to move
Start Securing
Free, no credit card | First findings in minutes