CVE: 2016-1000027 found in Spring Web - Version: 4.3.10.RELEASE [JAVA]

[github-actions[bot]]

Veracode Software Composition Analysis

Attribute	Details
Library	Spring Web
Description	Spring Web
Language	JAVA
Vulnerability	Remote Code Execution (RCE)
Vulnerability description	spring-web is vulnerable to remote code execution (RCE). When it is used with external endpoints regardless of endpoints being authenticated or not, the function HttpInvokerServiceExporter: readRemoteInvocation allows deserialization of untrusted object if the endpoints are exposed to untrusted clients. It depends on the implementation within a product to mandate an authentication and to protect an application from an authenticated deserialization. The vendor has claimed the behavior to be as intended, but has deprecated the vulnerable Sun's JDK HTTP server classes in version 6.0.0.
CVE	2016-1000027
CVSS score	7.5
Vulnerability present in version/s	4.0.0.M1-5.3.31
Found library version/s	4.3.10.RELEASE
Vulnerability fixed in version	6.0.0
Library latest version	6.1.1
Fix

Links:

• https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/1104?version=4.3.10.RELEASE
• https://sca.analysiscenter.veracode.com/vulnerability-database/vulnerabilities/22252
• Patch: https://github.com/spring-projects/spring-framework/commit/2b051b8b321768a4cfef83077db65c6328ffd60f#diff-5b4db0e368d81fcb05337a6147fbc73de0b536109a58cb50acf7e0f40dd61243

[github-actions[bot]]

Veracode issue link to PR: https://github.com/veracode-repository-ruleset/verademo-java-maven/pull/54