Deserialization Vulnerability in Pivotal Spring Security Enables Arbitrary Code Execution
CVE-2017-4995

8.1HIGH

Key Information:

Vendor
Vmware
Status
Spring Security Spring Security 4.2.0.release 4.2.2.release And Spring Security 5.0.0.m1
Vendor
CVE Published:
27 November 2017

Summary

A deserialization vulnerability exists in Pivotal Spring Security versions 4.2.0.RELEASE to 4.2.2.RELEASE and Spring Security 5.0.0.M1, where enabling default typing for Jackson can lead to arbitrary code execution. This occurs when Jackson is configured to deserialize untrusted data without proper safeguards, exposing the application to potential exploits. Although Jackson has implemented blacklisting for known deserialization gadgets to mitigate risks, the responsibility falls on users to avoid utilizing the insecure configuration. Spring Security's inclusion of Jackson with default typing enabled necessitates greater caution to preemptively block arbitrary execution pathways presented by unknown gadgets on the classpath.

Affected Version(s)

Spring Security Spring Security 4.2.0.RELEASE 4.2.2.RELEASE and Spring Security 5.0.0.M1 Spring Security Spring Security 4.2.0.RELEASE 4.2.2.RELEASE and Spring Security 5.0.0.M1

References

https://pivotal.io/security/cve-2017-4995
x_refsource_CONFIRM
http://www.securityfocus.com/bid/99080
vdb-entryx_refsource_BID
https://lists.apache.org/thread.html/4641ed8616ccc2c1fbdd...
mailing-listx_refsource_MLIST

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.