Skip to content
This repository has been archived by the owner on Apr 5, 2023. It is now read-only.

Spring Framework 5.3.2* Vulnerability #101

Open
lorenzoking opened this issue Feb 27, 2023 · 1 comment
Open

Spring Framework 5.3.2* Vulnerability #101

lorenzoking opened this issue Feb 27, 2023 · 1 comment

Comments

@lorenzoking
Copy link

Describe the bug
potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Found in ops, ocs, and rv war files.

To Reproduce
Steps to reproduce the behavior:
Aquasec security scan on spring-web-5.3.24.jar and spring-web-5.3.25.jar

Expected behavior
This vulnerability should not show up on our Aquasec scan results

Additional context
these vulnerabilities are fixed in version 6.0.0

https://nvd.nist.gov/vuln/detail/CVE-2016-1000027
@rftemple
Copy link

rftemple commented Apr 3, 2023

The SDO project is not affected because it implements its own data serialization and does not use HTTPInvokerServiceExporter or RemoteInvocationSerializingExporter.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rftemple @lorenzoking