Vulnerability Details : CVE-2016-1000027
Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.
Vulnerability category: Execute code
Products affected by CVE-2016-1000027
- cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2016-1000027
2.44%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 89 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2016-1000027
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2016-1000027
-
The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.Assigned by: nvd@nist.gov (Primary)
References for CVE-2016-1000027
-
https://security.netapp.com/advisory/ntap-20230420-0009/
CVE-2016-1000027 Spring Framework Vulnerability in NetApp Products | NetApp Product Security
-
https://security-tracker.debian.org/tracker/CVE-2016-1000027
CVE-2016-1000027Third Party Advisory
-
https://spring.io/blog/2022/05/11/spring-framework-5-3-20-and-5-2-22-available-now
Spring Framework 5.3.20 and 5.2.22 available nowRelease Notes;Third Party Advisory
-
https://github.com/spring-projects/spring-framework/issues/24434#issuecomment-744519525
Sonatype vulnerability CVE-2016-1000027 in Spring-web project · Issue #24434 · spring-projects/spring-framework · GitHubIssue Tracking;Third Party Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-1000027
1357929 – (CVE-2016-1000027) CVE-2016-1000027 spring: HttpInvokerServiceExporter readRemoteInvocation method untrusted java deserializationIssue Tracking;Third Party Advisory
-
https://github.com/spring-projects/spring-framework/issues/24434#issuecomment-582313417
Sonatype vulnerability CVE-2016-1000027 in Spring-web project · Issue #24434 · spring-projects/spring-framework · GitHubIssue Tracking;Third Party Advisory
-
https://www.tenable.com/security/research/tra-2016-20
[R2] Pivotal Spring Framework HttpInvokerServiceExporter readRemoteInvocation Method Untrusted Java Deserialization - Research Advisory | Tenable®Exploit;Third Party Advisory
-
https://github.com/spring-projects/spring-framework/issues/24434#issuecomment-579669626
Sonatype vulnerability CVE-2016-1000027 in Spring-web project · Issue #24434 · spring-projects/spring-framework · GitHubIssue Tracking;Third Party Advisory
Jump to