CVE-2017-4995

CWE-502Deserialization of Untrusted Data7 documents6 sources
Severity
8.1HIGH
EPSS
0.8%
top 25.54%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Vmware Spring Security
Timeline
PublishedNov 27
Latest updateMay 13

Description

An issue was discovered in Pivotal Spring Security 4.2.0.RELEASE through 4.2.2.RELEASE, and Spring Security 5.0.0.M1. When configured to enable default typing, Jackson contained a deserialization vulnerability that could lead to arbitrary code execution. Jackson fixed this vulnerability by blacklisting known "deserialization gadgets." Spring Security configures Jackson with global default typing enabled, which means that (through the previous exploit) arbitrary code could be executed if all of t

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages3 packages

CVEListV5spring_security_spring_security_4.2.0.release_4.2.2.release_and_spring_security_5.0.0.m1Spring Security Spring Security 4.2.0.RELEASE 4.2.2.RELEASE and Spring Security 5.0.0.M1
Mavenorg.springframework.security:spring-security-core4.2.0.RELEASE4.2.3.RELEASE+1
NVDvmware/spring_security4 versions+3

🔴Vulnerability Details

3
GHSA
Deserialization of Untrusted Data in Spring Security2022-05-13
OSV
Deserialization of Untrusted Data in Spring Security2022-05-13
CVEList
CVE-2017-4995: An issue was discovered in Pivotal Spring Security 42017-11-27

📋Vendor Advisories

1
Red Hat
Security: Deserialization of untrusted data via Jackson2017-09-20

💬Community

2
Bugzilla
CVE-2017-4995 opendaylight: Spring Security: Deserialization of untrusted data via Jackson [openstack-rdo]2017-10-06
Bugzilla
CVE-2017-4995 Spring Security: Deserialization of untrusted data via Jackson2017-10-06
CVE-2017-4995 (HIGH CVSS 8.1) | An issue was discovered in Pivotal | cvebase.io