Deserialization Vulnerability in Spring Framework and Spring Security
CVE-2011-2894

Currently unrated

Key Information:

Vendor
Vmware
Status
Spring Security
Spring Framework
Vendor
CVE Published:
4 October 2011

Badges

👾 Exploit Exists🟡 Public PoC🟣 EPSS 10%

Summary

The Spring Framework and Spring Security contain vulnerabilities that permit remote attackers to execute untrusted code by exploiting deserialization from untrusted sources. This can occur through methods like serializing a java.lang.Proxy instance or accessing internal AOP interfaces, allowing attackers to utilize deserialization of a DefaultListableBeanFactory instance to execute arbitrary commands via java.lang.Runtime. Users of affected versions are advised to apply security updates and adhere to secure coding practices to mitigate risks.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

SpringBreaker
Created by pwntester

References

http://www.springsource.com/security/cve-2011-2894
x_refsource_CONFIRM
http://www.securityfocus.com/bid/49536
vdb-entryx_refsource_BID
http://www.securityfocus.com/archive/1/519593/100/0/threaded
mailing-listx_refsource_BUGTRAQ

EPSS Score

10% chance of being exploited in the next 30 days.

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.