Deserialization in Vmware Spring_security
CVE-2017-4995
An issue was discovered in Pivotal Spring Security 4.2.0.RELEASE through 4.2.2.RELEASE, and Spring Security 5.0.0.M1. When configured to enable default typing, Jackson contained a deserialization vulnerability that could lead to arbitrary…
Vulnerability class: Insecure Deserialization
EPSS: 0.008 (74.9th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 8.1 (High). Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H.
Affected products
- Vmware Spring_security — versions 4.2.0, 4.2.1, 4.2.2
- N/a Spring Security 4.2.0.release 4.2.2.release And 5.0.0.m1 — versions Spring Security Spring Security 4.2.0.RELEASE 4.2.2.RELEASE and Spring Security 5.0.0.M1
Weakness classification (CWE)
Public proof-of-concept exploits
References
- security_alert@emc.com (x_refsource_CONFIRM, Issue Tracking, Vendor Advisory)
- security_alert@emc.com (vdb-entry, Broken Link, x_refsource_BID)
- security_alert@emc.com (mailing-list, x_refsource_MLIST)
- security_alert@emc.com (mailing-list, x_refsource_MLIST)
- security_alert@emc.com (mailing-list, x_refsource_MLIST)
Frequently asked questions
- What is CVE-2017-4995?
- CVE-2017-4995 is a high-severity vulnerability in Vmware Spring_security, classified under Deserialization of Untrusted Data. CVSS score: 8.1/10. Published 2017-11-27.
- How severe is CVE-2017-4995?
- High severity. CVSS v3 base score is 8.1 out of 10.
- Is CVE-2017-4995 known to be exploited?
- 3 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.