CVE-2016-1000027
Spring Framework is vulnerable to Remote code execution
98
Critical Risk
This Affects:
Spring FrameworkTL;DR
The Spring Framework exposes a class HttpInvokerServiceExporter which is vulnerable to a deserialization attack. The attack can lead to remote code execution. The class was deprecated in version 5.3.0 and removed in version 6.0.0.
Who does this affect?
Aikido has a Java SAST rule that checks for the use of the HttpInvokerServiceExporter class. If you are affected, you will have a critical issue in your feed.
Background info
Spring Framework is vulnerable to Remote code execution in versions < 6.0.0.
How to fix this
Because it is usually not easy to upgrade the framework, we recommend removing all usage of the HttpInvokerServiceExporter class.
Links
Related Issues
github.com/spring-projects/spring-framework/issues/24434#issuecomment-579669626github.com/spring-projects/spring-framework/issues/24434#issuecomment-582313417github.com/spring-projects/spring-framework/issues/24434#issuecomment-744519525Other
bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-1000027raw.githubusercontent.com/distributedweaknessfiling/cvelist/master/2016/1000xxx/CVE-2016-1000027.jsonsecurity-tracker.debian.org/tracker/CVE-2016-1000027security.netapp.com/advisory/ntap-20230420-0009/spring.io/blog/2022/05/11/spring-framework-5-3-20-and-5-2-22-available-nowtenable.com/security/research/tra-2016-20
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant