[BLOSSOM-300] Dismiss Spring framework CVE-2016-1000027 Created: 20/May/22  Updated: 23/May/22  Resolved: 23/May/22

Status: Closed
Project: Blossom
Component/s: None
Affects Version/s: None
Fix Version/s: 3.5.1

Type: Task Priority: Neutral
Reporter: Federico Grilli Assignee: Federico Grilli
Resolution: Done Votes: 0
Labels: security
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Template:
Acceptance criteria:
Empty
Task DoR:
Empty
Release notes required:
Yes
Team: Foundation

 Description   

https://nvd.nist.gov/vuln/detail/CVE-2016-1000027

"Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data."

One or more dependencies were identified with known vulnerabilities in Blossom sample webapp:
spring-core-5.3.19.jar (pkg:maven/org.springframework/spring-core@5.3.19, cpe:2.3:a:pivotal_software:spring_framework:5.3.19:*:*:*:*:*:*:*, cpe:2.3:a:springsource:spring_framework:5.3.19:*:*:*:*:*:*:*, cpe:2.3:a:vmware:spring_framework:5.3.19:*:*:*:*:*:*:*, cpe:2.3:a:vmware:springsource_spring_framework:5.3.19:*:*:*:*:*:*:*) : CVE-2016-1000027

Generated at Sun Feb 11 23:32:06 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.