CVE-2016-1000027

Опубликовано: 02 янв. 2020

Источник: nvd

CVSS3: 9.8

CVSS2: 7.5

EPSS Средний

Описание

Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.

Ссылки

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-1000027
Issue Tracking
Third Party Advisory
https://github.com/spring-projects/spring-framework/issues/24434#issuecomment-579669626
Issue Tracking
Third Party Advisory
https://github.com/spring-projects/spring-framework/issues/24434#issuecomment-582313417
Issue Tracking
Third Party Advisory
https://github.com/spring-projects/spring-framework/issues/24434#issuecomment-744519525
Issue Tracking
Third Party Advisory
https://raw.githubusercontent.com/distributedweaknessfiling/cvelist/master/2016/1000xxx/CVE-2016-1000027.json
Broken Link
Exploit
Third Party Advisory
https://security-tracker.debian.org/tracker/CVE-2016-1000027
Third Party Advisory
https://security.netapp.com/advisory/ntap-20230420-0009/
https://spring.io/blog/2022/05/11/spring-framework-5-3-20-and-5-2-22-available-now
Release Notes
Third Party Advisory
https://www.tenable.com/security/research/tra-2016-20
Exploit
Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-1000027
Issue Tracking
Third Party Advisory
https://github.com/spring-projects/spring-framework/issues/24434#issuecomment-579669626
Issue Tracking
Third Party Advisory
https://github.com/spring-projects/spring-framework/issues/24434#issuecomment-582313417
Issue Tracking
Third Party Advisory
https://github.com/spring-projects/spring-framework/issues/24434#issuecomment-744519525
Issue Tracking
Third Party Advisory
https://raw.githubusercontent.com/distributedweaknessfiling/cvelist/master/2016/1000xxx/CVE-2016-1000027.json
Broken Link
Exploit
Third Party Advisory
https://security-tracker.debian.org/tracker/CVE-2016-1000027
Third Party Advisory
https://security.netapp.com/advisory/ntap-20230420-0009/
https://spring.io/blog/2022/05/11/spring-framework-5-3-20-and-5-2-22-available-now
Release Notes
Third Party Advisory
https://www.tenable.com/security/research/tra-2016-20
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*

Версия до 6.0.0 (исключая)

EPSS

Процентиль: 98%

0.59211

Средний

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-502

Связанные уязвимости

CVE-2016-1000027

CVSS3: 9.8

ubuntu

больше 5 лет назад

CVE-2016-1000027

CVSS3: 9.8

redhat

почти 9 лет назад

CVE-2016-1000027

CVSS3: 9.8

debian

больше 5 лет назад

Pivotal Spring Framework through 5.3.16 suffers from a potential remot ...

GHSA-4wrc-f8pq-fpqp

CVSS3: 9.8

github

около 3 лет назад

Pivotal Spring Framework contains unsafe Java deserialization methods

BDU:2022-02190

CVSS3: 9.8

fstec

около 9 лет назад

Уязвимость реализации метода readRemoteInvocation обработчика HTTP-запросов на основе Servlet-API HttpInvokerServiceExporter программной платформы Spring Framework, позволяющая нарушителю выполнить произвольный код

EPSS

Процентиль: 98%

0.59211

Средний

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-502