Spring Framework 5.3.2* Vulnerability

Question

Spring Framework 5.3.2* Vulnerability

lorenzoking opened this issue 2 years ago · 1 comments

Describe the bug
potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Found in ops, ocs, and rv war files.

To Reproduce
Steps to reproduce the behavior:
Aquasec security scan on spring-web-5.3.24.jar and spring-web-5.3.25.jar

Expected behavior
This vulnerability should not show up on our Aquasec scan results

Additional context
these vulnerabilities are fixed in version 6.0.0

https://nvd.nist.gov/vuln/detail/CVE-2016-1000027

Answer 1 · 2023-04-03T14:13:25.000Z

The SDO project is not affected because it implements its own data serialization and does not use HTTPInvokerServiceExporter or RemoteInvocationSerializingExporter.