9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.024 Low
EPSS
Percentile
89.9%
Pivotal Spring Framework before 6.0.0 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required.
Maintainers recommend investigating alternative components or a potential mitigating control. Version 4.2.6 and 3.2.17 contain enhanced documentation advising users to take precautions against unsafe Java deserialization, version 5.3.0 deprecate the impacted classes and version 6.0.0 removed it entirely.
CPE | Name | Operator | Version |
---|---|---|---|
org.springframework:spring-web | lt | 6.0.0 |
bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-1000027
github.com/advisories/GHSA-4wrc-f8pq-fpqp
github.com/spring-projects/spring-framework/commit/2b051b8b321768a4cfef83077db65c6328ffd60f
github.com/spring-projects/spring-framework/commit/5cbe90b2cd91b866a5a9586e460f311860e11cfa
github.com/spring-projects/spring-framework/issues/21680
github.com/spring-projects/spring-framework/issues/24434
github.com/spring-projects/spring-framework/issues/24434#issuecomment-1231625331
github.com/spring-projects/spring-framework/issues/24434#issuecomment-579669626
github.com/spring-projects/spring-framework/issues/24434#issuecomment-582313417
github.com/spring-projects/spring-framework/issues/24434#issuecomment-744519525
jira.spring.io/browse/SPR-17143?redirect=false
nvd.nist.gov/vuln/detail/CVE-2016-1000027
security-tracker.debian.org/tracker/CVE-2016-1000027
security.netapp.com/advisory/ntap-20230420-0009/
spring.io/blog/2022/05/11/spring-framework-5-3-20-and-5-2-22-available-now
support.contrastsecurity.com/hc/en-us/articles/4402400830612-Spring-web-Java-Deserialization-CVE-2016-1000027
www.tenable.com/security/research/tra-2016-20
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.024 Low
EPSS
Percentile
89.9%