| License Type | SaaS & On-Premise |
| Agent Mode | Assess |
| Main Product Category | Java Agent |
| Sub Category | SCA |
Question
Why is CVE-2016-1000027 listed for all spring-web versions when MITRE indicates only 4.1.4 as being vulnerable?
Pivotal Spring Framework 4.1.4 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required.
Answer
Vulnerability breakdown
Affected package: org.springframework/spring-web
This vulnerability makes it possible to exploit deserialization of untrusted data, ultimately leading to Remote Code Execution (RCE).
The root cause is the readRemoteInvocation method within the HttpInvokerServiceExporter.class does not sufficiently restrict or verify untrusted objects prior to deserializing them.
Information discrepancy with NVD
NVD currently only lists the version 4.1.4 as vulnerable.
We list all versions as vulnerable as the latest information by the spring framework developers has not been communicated to/updated by NVD.
Remediation
As there is no fix for this vulnerability, this CVE will continue to be flagged.
The recommended remediation is to ensure there are no HTTP Invoker endpoints exposed to untrusted clients, and for customers to expose these only between their own services.
Please refer for further information: