CVE-2016-1000027

9.8CRITICAL

Key Information:

Vendor
Vmware
Status
Spring Framework
Vendor
CVE Published:
2 January 2020

Badges

πŸ‘Ύ Exploit Exists🟑 Public PoC

Summary

Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

cve-2016-1000027-poc
Created by artem-smotrakov

Spring-Web-5xx-Mitigated-version
Created by tina94happy

spring-web-without-remoting
Created by yihtserns

References

https://www.tenable.com/security/research/tra-2016-20
https://raw.githubusercontent.com/distributedweaknessfili...
https://security-tracker.debian.org/tracker/CVE-2016-1000027

EPSS Score

1% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟑

    Public PoC available

  • πŸ‘Ύ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.