Fluid Attacks Database

Description

Pivotal Spring Framework contains unsafe Java deserialization methods Pivotal Spring Framework before 6.0.0 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required.

Maintainers recommend investigating alternative components or a potential mitigating control. Version 4.2.6 and 3.2.17 contain enhanced documentation advising users to take precautions against unsafe Java deserialization, version 5.3.0 deprecate the impacted classes and version 6.0.0 removed it entirely.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
maven	org.springframework:spring-core	=4.1.4	4.1.5.release
debian 12	libspring-java	>=0 <4.2.7-1	4.2.7-1
debian 11	libspring-java	>=0 <4.2.7-1	4.2.7-1
debian 13	libspring-java	>=0 <4.2.7-1	4.2.7-1
debian 14	libspring-java	>=0 <4.2.7-1	4.2.7-1
maven	org.springframework:spring-web	>=0 <6.0.0	6.0.0

Aliases

1. CVE-2016-10000272. NVD-2016-10000273. OSV-2016-10000274. OSV-DEBIAN-2016-10000275. GCVE-2016-10000276. bugzilla.redhat.com7. SECURITY-TRACKER-CVE-2016-1000027

References

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.