CVE-2016-1000027

 

Published at: - 03-01-2020 12:15

Last modified: - 10-06-2022 04:15

Total changes: - 5

Description

Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.

Common Vulnerability Scoring System (CVSS)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

 

Verification logic

 

Reference

• https://security-tracker.debian.org/tracker/CVE-2016-1000027
• https://raw.githubusercontent.com/distributedweaknessfiling/cvelist/master/2016/1000xxx/CVE-2016-1000027.json
• https://www.tenable.com/security/research/tra-2016-20
• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-1000027
• https://github.com/spring-projects/spring-framework/issues/24434#issuecomment-582313417
• https://github.com/spring-projects/spring-framework/issues/24434#issuecomment-579669626
• https://spring.io/blog/2022/05/11/spring-framework-5-3-20-and-5-2-22-available-now
• https://github.com/spring-projects/spring-framework/issues/24434#issuecomment-744519525

 

Keywords

NVD

 

CVE-2016-1000027

 

CVE

 

Common vulnerabilities & exposures

 

CVSS

 

Common vulnerability scoring system

 

Security

 

Vulnerabilities

 

Exposures