Home > Vulnerability Database > CVE-2016-1000027

Mend.io Vulnerability Database

CVE-2016-1000027

Good to know:

Date: January 1, 2020

Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data. After conducting further research, Mend has determined that all versions of spring-web up to version 6.0.0 are vulnerable to CVE-2016-1000027.

Language: Java

Severity Score

9.8

Related Resources (20)

Url: https://security-tracker.debian.org/tracker/CVE-2016-1000027

Url: https://raw.githubusercontent.com/distributedweaknessfiling/cvelist/master/2016/1000xxx/CVE-2016-1000027.json

Url: https://github.com/spring-projects/spring-framework/issues/24434#issuecomment-744519525

Url: https://support.contrastsecurity.com/hc/en-us/articles/4402400830612-Spring-web-Java-Deserialization-CVE-2016-1000027

Url: https://security.netapp.com/advisory/ntap-20230420-0009/

Url: https://spring.io/blog/2022/05/11/spring-framework-5-3-20-and-5-2-22-available-now

Url: https://github.com/spring-projects/spring-framework

Url: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-1000027

Url: https://github.com/spring-projects/spring-framework/commit/5cbe90b2cd91b866a5a9586e460f311860e11cfa

Url: https://github.com/spring-projects/spring-framework/issues/24434

Url: https://jira.spring.io/browse/SPR-17143?redirect=false

Url: https://www.tenable.com/security/research/tra-2016-20

Url: https://github.com/spring-projects/spring-framework/issues/21680

Url: https://github.com/spring-projects/spring-framework/issues/24434#issuecomment-579669626

Url: https://nvd.nist.gov/vuln/detail/CVE-2016-1000027

Url: https://github.com/spring-projects/spring-framework/issues/24434#issuecomment-1231625331

Url: https://security.netapp.com/advisory/ntap-20230420-0009

Url: https://github.com/spring-projects/spring-framework/commit/2b051b8b321768a4cfef83077db65c6328ffd60f

Url: https://github.com/spring-projects/spring-framework/issues/24434#issuecomment-582313417

Url: https://www.mend.io/vulnerability-database/CVE-2016-1000027

Severity Score

9.8

Weakness Type (CWE)

Deserialization of Untrusted Data

CWE-502

Top Fix

Upgrade Version

Upgrade to version org.springframework:spring-web:6.0.0

Learn More

CVSS v3.1

Base Score:	9.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

CVSS v2

Base Score:	7.5
Access Vector (AV):	NETWORK
Access Complexity (AC):	LOW
Authentication (AU):	NONE
Confidentiality (C):	PARTIAL
Integrity (I):	PARTIAL
Availability (A):	PARTIAL
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2016-1000027

Good to know:

Date: January 1, 2020

Language: Java

Severity Score

Related Resources (20)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?