Deserialization in Vmware Spring_framework
CVE-2011-2894
Spring Framework 3.0.0 through 3.0.5, Spring Security 3.0.0 through 3.0.5 and 2.0.0 through 2.0.6, and possibly other versions deserialize objects from untrusted sources, which allows remote attackers to bypass intended security restrictio…
Vulnerability class: Insecure Deserialization
EPSS: 0.020 (84.0th percentile) — read the EPSS interpretation.
Affected products
- Vmware Spring_framework
- Vmware Spring_security
- N/a — versions n/a
Weakness classification (CWE)
Public proof-of-concept exploits
References
- secalert@redhat.com (x_refsource_CONFIRM, Vendor Advisory)
- 49536 (Third Party Advisory, VDB Entry, vdb-entry, x_refsource_BID)
- 20110909 CVE-2011-2894: Spring Framework and Spring Security serialization-based remoting vulnerabilities (mailing-list, x_refsource_BUGTRAQ, Third Party Advisory, VDB Entry)
- RHSA-2011:1334 (x_refsource_REDHAT, vendor-advisory, Third Party Advisory)
- spring-framework-object-sec-bypass(69687) (Third Party Advisory, VDB Entry, vdb-entry, x_refsource_XF)
- 8405 (Third Party Advisory, x_refsource_SREASON, third-party-advisory)
- 75263 (x_refsource_OSVDB, vdb-entry, Broken Link)
- secalert@redhat.com (x_refsource_MISC)
Frequently asked questions
- What is CVE-2011-2894?
- CVE-2011-2894 is a vulnerability in Vmware Spring_framework, classified under Deserialization of Untrusted Data. Published 2011-10-04.
- Is CVE-2011-2894 known to be exploited?
- 8 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.