Vulnerability disclosed in Spring Web

Issue date: 18-07-2023
Affects versions: 15.2, 15.1, 14.7, 13.4

Security Issue ID

SECURITY-467

Affected Product Version(s)

15.2.2, 15.1.4, 14.7.13, 14.0.0, 13.4.22 and previous releases.

Severity

Critical

Description

CVE-2016-1000027 suppress

Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.

CVSSv3.1

Base Score: 9.8 Critical
Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Instructions

Customers are recommended to upgrade to the latest version. As of the time of writing, 15.2.3,14.7.14,13.4.23.

Content Application

Channels

Projects

Relevance

Architecture

Concepts

Platform Configuration

Frontend Integration

Backend Development

Commerce Accelerator

Cloud Deployment (PaaS)

On-Premise Deployment

Security

Release Management

Platform Development

Bloomreach Documentation version

Vulnerability disclosed in Spring Web