2 matches found
CVE-2017-4995
CVE-2017-4995 describes a deserialization vulnerability in Pivotal Spring Security 4.2.0.RELEASE–4.2.2.RELEASE and Spring Security 5.0.0.M1 when Jackson default typing is enabled. If Spring Security’s Jackson support is leveraged (SecurityJackson2Modules.getModules(ClassLoader) or enableDefaultTy...
CVE-2017-4995
It was found that spring security uses Jackson's enableDefaultTyping polymorphic capability for object deserialization. Jackson has already addressed this issue by blacklisting well-known gadget classes. However, under a right circumstances e.g. an existence of an old JDK and vulnerable Jackson i...