spring-web is vulnerable to remote code execution (RCE). When it is used with external endpoints regardless of endpoints being authenticated or not, the function HttpInvokerServiceExporter: readRemoteInvocation allows deserialization of untrusted object if the endpoints are exposed to untrusted clients. It depends on the implementation within a product to mandate an authentication and to protect an application from an authenticated deserialization. The vendor has claimed the behavior to be as intended, but has deprecated the vulnerable Sun's JDK HTTP server classes in version 6.0.0.
Veracode Software Composition Analysis
HttpInvokerServiceExporter: readRemoteInvocation
allows deserialization of untrusted object if the endpoints are exposed to untrusted clients. It depends on the implementation within a product to mandate an authentication and to protect an application from an authenticated deserialization. The vendor has claimed the behavior to be as intended, but has deprecated the vulnerable Sun's JDK HTTP server classes in version 6.0.0.Links: