Skip to content

why CVE-2016-1000027 just appear on HttpInvoker? #32624

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom
Closed
chaoszcy opened this issue Apr 12, 2024 · 3 comments
Closed

why CVE-2016-1000027 just appear on HttpInvoker? #32624

chaoszcy opened this issue Apr 12, 2024 · 3 comments
Labels
status: duplicate A duplicate of another issue

Comments

@chaoszcy
Copy link

it confuse me a very long time, Java deserialization appears in everywhere in every framework, so why only HttpInvoker hits the CVE-2016-1000027 and got a 9.8 score?
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged or decided on label Apr 12, 2024
@JanStureNielsen
Copy link
Contributor

@chaoszcy -- have you reviewed the Spring Security Policy? It appears to answer the Spring-specific portion of your deserialization question...

@chaoszcy
Copy link
Author

@chaoszcy -- have you reviewed the Spring Security Policy? It appears to answer the Spring-specific portion of your deserialization question...

Thanks for your reply, but i dont want to report vulnerabilities nor looking for some fix plan. i just curious about how CVE-2016-1000027 happened.
In my understanding, if "Java deserialization from a untrusted source" is classified as unsafety behavior, there should be countless CVEs about it, but I dont see so many reports. So is there any other reason makes HttpInvoker shotted by CVE-2016-1000027?

@bclozel
Copy link
Member

bclozel commented Apr 12, 2024

See #24434 (comment)

@bclozel bclozel closed this as not planned Won't fix, can't repro, duplicate, stale Apr 12, 2024
@bclozel bclozel added status: duplicate A duplicate of another issue and removed status: waiting-for-triage An issue we've not yet triaged or decided on labels Apr 12, 2024
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
status: duplicate A duplicate of another issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@bclozel @JanStureNielsen @spring-projects-issues @chaoszcy