Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2016-1000027

Опубликовано: 08 июл. 2016
Источник: redhat
CVSS3: 9.8
CVSS2: 6.8
EPSS Средний

Описание

Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
OpenShift Developer Tools and ServicesjenkinsNot affected
Red Hat Enterprise Virtualization 3jasperreports-server-proNot affected
Red Hat Enterprise Virtualization 3redhat-support-plugin-rhevNot affected
Red Hat Enterprise Virtualization 3rhevm-dependenciesNot affected
Red Hat Fuse 7springframeworkNot affected
Red Hat JBoss Fuse 6springframeworkNot affected
Red Hat OpenShift Container Platform 3.11jenkinsNot affected
Red Hat OpenShift Container Platform 4jenkinsNot affected
Red Hat OpenShift Enterprise 2spring-coreNot affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-502
https://bugzilla.redhat.com/show_bug.cgi?id=1357929spring: HttpInvokerServiceExporter readRemoteInvocation method untrusted java deserialization

EPSS

Процентиль: 98%
0.59211
Средний

9.8 Critical

CVSS3

6.8 Medium

CVSS2

Связанные уязвимости

ubuntu логотип

CVE-2016-1000027

CVSS3: 9.8
ubuntu
больше 5 лет назад

Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.

nvd логотип

CVE-2016-1000027

CVSS3: 9.8
nvd
больше 5 лет назад

Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.

debian логотип

CVE-2016-1000027

CVSS3: 9.8
debian
больше 5 лет назад

Pivotal Spring Framework through 5.3.16 suffers from a potential remot ...

github логотип

GHSA-4wrc-f8pq-fpqp

CVSS3: 9.8
github
около 3 лет назад

Pivotal Spring Framework contains unsafe Java deserialization methods

fstec логотип

BDU:2022-02190

CVSS3: 9.8
fstec
около 9 лет назад

Уязвимость реализации метода readRemoteInvocation обработчика HTTP-запросов на основе Servlet-API HttpInvokerServiceExporter программной платформы Spring Framework, позволяющая нарушителю выполнить произвольный код

EPSS

Процентиль: 98%
0.59211
Средний

9.8 Critical

CVSS3

6.8 Medium

CVSS2