CVE-2016-1000027
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.
References
Published
Community ground truth
Community verdict
4 verdictsIncludes TruePositive's curated baseline from public sources — community verdicts accrue on top.
to add your verdict.
Practitioners rate this lower than its CVSS — likely over-rated by the score.
Field notes & remediation
Verdicts are the quick signal — notes are the evidence and fixes behind them.
- 0
The textbook SCA false positive. The flaw is real only if your app actually exposes Spring's
HttpInvokerServiceExporter/RemoteInvocationSerializingExporterand deserializes attacker-controlled data — a remoting style almost nobody uses today. Butspring-webcarries the class transitively, so dependency scanners flag every Spring app at critical regardless of whether the vulnerable endpoint exists. VMware/Spring long declined to treat it as a framework vulnerability for exactly this reason.Sources: NVD · Spring issue #24434.
- 0
Dissent — don't get complacent: if you do stand up a Spring HTTP Invoker endpoint (or any
ObjectInputStreamover untrusted bytes), this is a genuine unauth RCE. The 'false positive' verdict is for the ~99% who only carry the dependency transitively, not for the few who actually use remoting. - 0
If you don't use HTTP Invoker remoting (almost certainly), suppress/accept the finding with a documented justification — don't burn a sprint on it. If you do, drop the exporter or migrate off Java serialization; Spring 6 removed the legacy remoting support entirely.
Related CVEs
Same weakness — CWE-502 · Deserialization of Untrusted Data.
- CVE-2021-35464CVSS 9.8KEVEPSS 100%
ForgeRock AM server before 7.0 has a Java deserialization vulnerability in the jato.pageSession parameter on multiple pages. The exploitation does not require authentication, and remote code execution can be triggered by sending a single crafted /ccversion/* request to the server. The vulnerability exists due to the usage of Sun ONE Application Framework (JATO) found in versions of Java 8 or earlier
- CVE-2023-0669CVSS 7.2KEVEPSS 100%
Fortra (formerly, HelpSystems) GoAnywhere MFT suffers from a pre-authentication command injection vulnerability in the License Response Servlet due to deserializing an arbitrary attacker-controlled object. This issue was patched in version 7.1.2.
- CVE-2023-29300CVSS 9.8KEVEPSS 100%
Adobe ColdFusion versions 2018u16 (and earlier), 2021u6 (and earlier) and 2023.0.0.330468 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction.
- CVE-2022-47986CVSS 9.8KEVEPSS 100%
IBM Aspera Faspex 4.4.2 Patch Level 1 and earlier could allow a remote attacker to execute arbitrary code on the system, caused by a YAML deserialization flaw. By sending a specially crafted obsolete API call, an attacker could exploit this vulnerability to execute arbitrary code on the system. The obsolete API call was removed in Faspex 4.4.2 PL2. IBM X-Force ID: 243512.
- CVE-2022-41082CVSS 8KEVEPSS 100%
Microsoft Exchange Server Remote Code Execution Vulnerability
- CVE-2019-18935CVSS 9.8KEVEPSS 100%
Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation can result in remote code execution. (As of 2020.1.114, a default setting prevents the exploit. In 2019.3.1023, but not earlier versions, a non-default setting can prevent exploitation.)