rsertelon
commented
8 years ago Thanks for reporting this vulnerability.
Closed gmlewis closed 8 years ago
rsertelon
commented
8 years ago Thanks for reporting this vulnerability.
slandelle
commented
8 years ago This is actually more cosmetic than critical: spring-dbunit is a test dependency so neither itself nor its dependencies should be in the runtime classpath.
Version 3.2.1 has a CVSS 10.0 vulnerability. That's the worst kind of vulnerability that exists. By merely existing on the classpath, this library causes the Java serialization parser for the entire JVM process to go from being a state machine to a turing machine. A turing machine with an exec() function!
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8103 https://commons.apache.org/proper/commons-collections/security-reports.html http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/