Deserialization Vulnerability in Spring Framework and Spring Security
CVE-2011-2894
Key Information:
- Vendor
- Vmware
- Vendor
- CVE Published:
- 4 October 2011
Badges
Summary
The Spring Framework and Spring Security contain vulnerabilities that permit remote attackers to execute untrusted code by exploiting deserialization from untrusted sources. This can occur through methods like serializing a java.lang.Proxy instance or accessing internal AOP interfaces, allowing attackers to utilize deserialization of a DefaultListableBeanFactory instance to execute arbitrary commands via java.lang.Runtime. Users of affected versions are advised to apply security updates and adhere to secure coding practices to mitigate risks.
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
EPSS Score
10% chance of being exploited in the next 30 days.
Timeline
- 🟡
Public PoC available
- 👾
Exploit known to exist
Vulnerability published
Vulnerability Reserved