CVE-2016-1000027 – org.springframework:spring-web

Package

Manager: maven
Name: org.springframework:spring-web
Vulnerable Version: >=0 <6.0.0

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.59211 pctl0.9817

Details

Pivotal Spring Framework contains unsafe Java deserialization methods Pivotal Spring Framework before 6.0.0 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. Maintainers recommend investigating alternative components or a potential mitigating control. Version 4.2.6 and 3.2.17 contain [enhanced documentation](https://github.com/spring-projects/spring-framework/commit/5cbe90b2cd91b866a5a9586e460f311860e11cfa) advising users to take precautions against unsafe Java deserialization, version 5.3.0 [deprecate the impacted classes](https://github.com/spring-projects/spring-framework/issues/25379) and version 6.0.0 [removed it entirely](https://github.com/spring-projects/spring-framework/issues/27422).

Metadata

Created: 2022-05-24T17:05:30Z
Modified: 2023-06-01T19:56:26Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-4wrc-f8pq-fpqp/GHSA-4wrc-f8pq-fpqp.json
CWE IDs: ["CWE-502"]
Alternative ID: GHSA-4wrc-f8pq-fpqp
Finding: F096
Auto approve: 1