CVE-2016-1000027

high-risk

Published 2020-01-02

Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.

Do I need to act?

60.4% chance of exploitation in next 30 days

EPSS score — higher than 40% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (1)

Spring Framework

Affected Vendors

Vmware

References (18)

Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-1000027

Issue Tracking https://github.com/spring-projects/spring-framework/issues/24434#issuecomment-57...

Issue Tracking https://github.com/spring-projects/spring-framework/issues/24434#issuecomment-58...

Issue Tracking https://github.com/spring-projects/spring-framework/issues/24434#issuecomment-74...

Broken Link https://raw.githubusercontent.com/distributedweaknessfiling/cvelist/master/2016/...

Third Party Advisory https://security-tracker.debian.org/tracker/CVE-2016-1000027

https://security.netapp.com/advisory/ntap-20230420-0009/

Release Notes https://spring.io/blog/2022/05/11/spring-framework-5-3-20-and-5-2-22-available-n...

Exploit https://www.tenable.com/security/research/tra-2016-20