Vulnerability disclosed in Spring Web

Issue date: 18-07-2023
Affects versions: 15.2, 15.1, 14.7, 13.4

Security Issue ID

SECURITY-467

Affected Product Version(s)

15.2.2, 15.1.4, 14.7.13, 14.0.0, 13.4.22 and previous releases.

Severity

Critical

Description

CVE-2016-1000027 suppress

Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.

CVSSv3.1

Base Score: 9.8 Critical
Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Instructions

Customers are recommended to upgrade to the latest version. As of the time of writing, 15.2.3,14.7.14,13.4.23.

Get Started

Build a Website

Relevance Trail

Feed an AngularJS App

Understand Hippo

Implement Hippo

Extend Hippo

Integrate Hippo

Run Hippo

Upgrade Hippo

Develop Hippo

Use Hippo

Report an Issue

Bloomreach Documentation version

Vulnerability disclosed in Spring Web