CVE-2016-1000027

CVE Database · CVE-2016-1000027

CVE-2016-1000027

· CRITICALModified

CVSS v3.1

9.8

EPSS

32.26%

Published

Jan 2, 2020

Modified

Nov 20, 2024

Public PoC / Exploit (1)

All weaponized →

TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weaknesses (CWE)

CWE-502

Affected Products (1)

vmware · spring_framework (up to 6.0.0)vulnerable

References (18)

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-1000027

Issue TrackingThird Party Advisory

https://github.com/spring-projects/spring-framework/issues/24434#issuecomment-579669626

Issue TrackingThird Party Advisory

https://github.com/spring-projects/spring-framework/issues/24434#issuecomment-582313417

Issue TrackingThird Party Advisory

https://github.com/spring-projects/spring-framework/issues/24434#issuecomment-744519525

Issue TrackingThird Party Advisory

https://raw.githubusercontent.com/distributedweaknessfiling/cvelist/master/2016/1000xxx/CVE-2016-1000027.json

KEV Catalog EPSS Scores Vendors All CVEs