CVE-2016-1000027 Critical in 5.3 but only fixed in > 6.0.0 #30923
Comments
spring-projects-issues
added
the
status: waiting-for-triage
|
Closing as a duplicate of #24434 and countless others. |
bclozel
added
status: duplicate
|
@bclozel searched the ask it is possible to remove the vulnerability classes in 5.3.X latest release since 6.0.0 has done but its in latest JDK everybody cannot move to latest since we use old JDK is it possible to be fixed in 5.3.X latest version |
|
@anand188 this has been answered and discussed multiple times already in the linked issue. Your application is not vulnerable if those classes aren't used by the application. |
|
@bclozel the current 5.3.X is vulnerable and not able to convince this is not an issue even though application wont use or invoke this classes it still exists .the problem is if its not used why it should exist can be removed in 5.3.X like its done in 6.0.0 right .instead justifying it wont be invoked its better to be removed that's the only ask |
Uh oh!
There was an error while loading. Please reload this page.
CVE-2016-1000027 Pivotal Spring Framework through 5.3.27 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required.
[Spring Framework] [5.3.27] will there a patch to remove those vulnerable classes like its done on 6.0.0. Much appreciable if the patch is done on 5.3 also
The text was updated successfully, but these errors were encountered: