CVE-2016-1000027

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2016-1000027
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2016-1000027.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2016-1000027
Aliases
Downstream
Related
Published
2020-01-02T23:15:11.857Z
Modified
2026-04-11T19:41:56.801030Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.

References

Affected packages

Git / github.com/spring-projects/spring-framework

Affected ranges

Type
GIT
Repo
https://github.com/spring-projects/spring-framework
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
5a30a43b753a971ac8bf4005a8ccddeaff439d7e
Database specific 
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "6.0.0"
        }
    ],
    "source": "CPE_FIELD",
    "cpe": "cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*"
}

Affected versions

v3.*
v3.2.0.M1
v3.2.0.M2
v3.2.0.RC1
v3.2.0.RC2-A
v3.2.0.RELEASE
v4.*
v4.0.0.M1
v4.0.0.M2
v4.0.0.M3
v4.0.0.RC1
v4.0.0.RC2

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2016-1000027.json"