CVE-2016-1000027

Description

Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.

CVSS Version 3.1
CVSS Version 2.0

nvd
CVE ID: CVE-2016-1000027
Base Score: 9.8
Base Severity: CRITICAL
Vector String:CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Impact Score: 5.9
Exploitability Score: 3.9

nvd
CVE ID: CVE-2016-1000027
Base Score: 7.5
Base Severity: HIGH
Vector String:AV:N/AC:L/Au:N/C:P/I:P/A:P

Proof Of Concept

artem-smotrakov

PoC for CVE-2016-1000027

Refrence: GitHub

tina94happy

Mitigated version for CVE-2016-1000027 spring web.

Refrence: GitHub

yihtserns

Spring Web 5.x with org.springframework.remoting package removed, to fix CVE-2016-1000027.

Refrence: GitHub

Refrence: NVD

Description​

Proof Of Concept​

Description

Proof Of Concept