Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

CVE-2016-1000027

Pivotal Spring Framework contains unsafe Java deserialization methods

Description

Pivotal Spring Framework before 6.0.0 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required.

Maintainers recommend investigating alternative components or a potential mitigating control. Version 4.2.6 and 3.2.17 contain enhanced documentation advising users to take precautions against unsafe Java deserialization, version 5.3.0 deprecate the impacted classes and version 6.0.0 removed it entirely.

Base CVSS

9.8

EPSS Score

59.21%

Introduced Version

1.0-m4

Fix Available

6.0.0

Fix without Upgrading

Available Patches

Package

CVEs Fixed

Lines of Code Changed

org.springframework:spring-web

References

https://github.com/spring-projects/spring-framework/issues/24434#issuecomment-1231625331

https://github.com/spring-projects/spring-framework/issues/24434

https://github.com/spring-projects/spring-framework/issues/24434#issuecomment-582313417

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-1000027

https://www.tenable.com/security/research/tra-2016-20

https://jira.spring.io/browse/SPR-17143?redirect=false

https://github.com/spring-projects/spring-framework/issues/21680

https://github.com/spring-projects/spring-framework/issues/24434#issuecomment-579669626

https://nvd.nist.gov/vuln/detail/CVE-2016-1000027

https://github.com/spring-projects/spring-framework/commit/5cbe90b2cd91b866a5a9586e460f311860e11cfa

https://github.com/spring-projects/spring-framework/issues/24434#issuecomment-744519525

https://security.netapp.com/advisory/ntap-20230420-0009

https://support.contrastsecurity.com/hc/en-us/articles/4402400830612-Spring-web-Java-Deserialization-CVE-2016-1000027

https://security-tracker.debian.org/tracker/CVE-2016-1000027

https://spring.io/blog/2022/05/11/spring-framework-5-3-20-and-5-2-22-available-now

https://github.com/spring-projects/spring-framework/commit/2b051b8b321768a4cfef83077db65c6328ffd60f

https://github.com/spring-projects/spring-framework

AppSec for the Software Development Revolution

Endor Labs builds a complete graph of your software estate, so teams can pinpoint and fix critical risks in complex, dependency-rich code—whether it was written by humans or AI.

Welcome to the resistance

Oops! Something went wrong, please try again.