Remote Code Execution Vulnerability in Pivotal Spring Framework
CVE-2016-1000027

9.8CRITICAL

Key Information:

Vendor: Vmware
Status: Spring Framework
Vendor: CVE Published:; 2 January 2020

Badges

👾 Exploit Exists🟡 Public PoC

Summary

A potential remote code execution (RCE) vulnerability exists in the Pivotal Spring Framework, stemming from unsafe Java deserialization of untrusted data. Although the vendor maintains that handling untrusted data is not within the intended scope of the framework's use, the risk level depends on the specific implementation in various products. Depending on the implementation, this vulnerability could be exploited if authentication measures are not adequate.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

cve-2016-1000027-poc
Created by artem-smotrakov

Spring-Web-5xx-Mitigated-version
Created by tina94happy

spring-web-without-remoting
Created by yihtserns

References

https://www.tenable.com/security/research/tra-2016-20

https://raw.githubusercontent.com/distributedweaknessfili...

https://security-tracker.debian.org/tracker/CVE-2016-1000027

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

🟡
Public PoC available
Feb 9, 2024
👾
Exploit known to exist
Feb 9, 2024
Vulnerability published
Jan 2, 2020
Vulnerability Reserved
Jul 18, 2016