Описание
Pivotal Spring Framework contains unsafe Java deserialization methods
Pivotal Spring Framework before 6.0.0 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required.
Maintainers recommend investigating alternative components or a potential mitigating control. Version 4.2.6 and 3.2.17 contain enhanced documentation advising users to take precautions against unsafe Java deserialization, version 5.3.0 deprecate the impacted classes and version 6.0.0 removed it entirely.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2016-1000027
- https://github.com/spring-projects/spring-framework/issues/21680
- https://github.com/spring-projects/spring-framework/issues/24434
- https://github.com/spring-projects/spring-framework/issues/24434#issuecomment-1231625331
- https://github.com/spring-projects/spring-framework/issues/24434#issuecomment-579669626
- https://github.com/spring-projects/spring-framework/issues/24434#issuecomment-582313417
- https://github.com/spring-projects/spring-framework/issues/24434#issuecomment-744519525
- https://github.com/spring-projects/spring-framework/commit/2b051b8b321768a4cfef83077db65c6328ffd60f
- https://github.com/spring-projects/spring-framework/commit/5cbe90b2cd91b866a5a9586e460f311860e11cfa
- https://www.tenable.com/security/research/tra-2016-20
- https://support.contrastsecurity.com/hc/en-us/articles/4402400830612-Spring-web-Java-Deserialization-CVE-2016-1000027
- https://spring.io/blog/2022/05/11/spring-framework-5-3-20-and-5-2-22-available-now
- https://security.netapp.com/advisory/ntap-20230420-0009
- https://security-tracker.debian.org/tracker/CVE-2016-1000027
- https://jira.spring.io/browse/SPR-17143?redirect=false
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-1000027
Пакеты
org.springframework:spring-web
< 6.0.0
6.0.0
Связанные уязвимости
Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.
Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.
Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.
Pivotal Spring Framework through 5.3.16 suffers from a potential remot ...
Уязвимость реализации метода readRemoteInvocation обработчика HTTP-запросов на основе Servlet-API HttpInvokerServiceExporter программной платформы Spring Framework, позволяющая нарушителю выполнить произвольный код