[BLOSSOM-300] Dismiss Spring framework CVE-2016-1000027 Created: 20/May/22 Updated: 23/May/22 Resolved: 23/May/22 |
|
| Status: | Closed |
| Project: | Blossom |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | 3.5.1 |
| Type: | Task | Priority: | Neutral |
| Reporter: | Federico Grilli | Assignee: | Federico Grilli |
| Resolution: | Done | Votes: | 0 |
| Labels: | security | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Template: |
|
| Acceptance criteria: |
Empty
|
| Task DoR: |
Empty
|
| Release notes required: |
Yes
|
| Team: |
| Description |
|
https://nvd.nist.gov/vuln/detail/CVE-2016-1000027 "Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data." One or more dependencies were identified with known vulnerabilities in Blossom sample webapp: spring-core-5.3.19.jar (pkg:maven/org.springframework/spring-core@5.3.19, cpe:2.3:a:pivotal_software:spring_framework:5.3.19:*:*:*:*:*:*:*, cpe:2.3:a:springsource:spring_framework:5.3.19:*:*:*:*:*:*:*, cpe:2.3:a:vmware:spring_framework:5.3.19:*:*:*:*:*:*:*, cpe:2.3:a:vmware:springsource_spring_framework:5.3.19:*:*:*:*:*:*:*) : CVE-2016-1000027 |