CVE-2011-2894

Currently unrated

Key Information:

Vendor
Vmware
Status
Spring Security
Spring Framework
Vendor
CVE Published:
4 October 2011

Badges

👾 Exploit Exists🟡 Public PoC

Summary

Spring Framework 3.0.0 through 3.0.5, Spring Security 3.0.0 through 3.0.5 and 2.0.0 through 2.0.6, and possibly other versions deserialize objects from untrusted sources, which allows remote attackers to bypass intended security restrictions and execute untrusted code by (1) serializing a java.lang.Proxy instance and using InvocationHandler, or (2) accessing internal AOP interfaces, as demonstrated using deserialization of a DefaultListableBeanFactory instance to execute arbitrary commands via the java.lang.Runtime class.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

SpringBreaker
Created by pwntester

References

http://www.springsource.com/security/cve-2011-2894
x_refsource_CONFIRM
http://www.securityfocus.com/bid/49536
vdb-entryx_refsource_BID
http://www.securityfocus.com/archive/1/519593/100/0/threaded
mailing-listx_refsource_BUGTRAQ

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.