CVE-2016-1000027
published 2020-01-02CVE-2016-1000027: Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data…
critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | libspring-java | < libspring-java 4.2.7-1 (bookworm) | libspring-java 4.2.7-1 (bookworm) |
| thorntech | sftp_gateway_firmware | >= 3.4.0 < 3.4.4 | 3.4.4 |
| vmware | spring_framework | < 6.0.0 | 6.0.0 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL