CVE-2016-1000027 — Deserialization of Untrusted Data in Vmware Spring Framework

CWE-502 — Deserialization of Untrusted Data9 documents8 sources
Severity
9.8CRITICALNVD
EPSS
60.4%
top 1.71%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Vmware Spring Framework
Timeline
PublishedJan 2
Latest updateJan 15

Description

Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages1 packages

â–¶NVDvmware/spring_framework< 6.0.0

🔴Vulnerability Details

4
GHSA
Pivotal Spring Framework contains unsafe Java deserialization methods↗2022-05-24
â–¶
OSV
Pivotal Spring Framework contains unsafe Java deserialization methods↗2022-05-24
â–¶
CVEList
CVE-2016-1000027: Pivotal Spring Framework through 5↗2020-01-02
â–¶
OSV
CVE-2016-1000027: Pivotal Spring Framework through 5↗2020-01-02
â–¶

📋Vendor Advisories

3
Oracle
Oracle Oracle Analytics Risk Matrix: Development Operations (Spring Framework) — CVE-2016-1000027↗2025-01-15
â–¶
Red Hat
spring: HttpInvokerServiceExporter readRemoteInvocation method untrusted java deserialization↗2016-07-08
â–¶
Debian
CVE-2016-1000027: libspring-java - Pivotal Spring Framework through 5.3.16 suffers from a potential remote code exe...↗2016
â–¶

💬Community

1
Bugzilla
CVE-2016-1000027 spring: HttpInvokerServiceExporter readRemoteInvocation method untrusted java deserialization↗2016-07-19
â–¶
CVE-2016-1000027 — Deserialization of Untrusted Data | cvebase