CVE-2017-4995
high
CVSS v3
8.1
CVSS v2
6.8
VIR risk
8.1
Description
Deserialization of Untrusted Data in Spring Security
Predictions
Exploit likelihood
88%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: security_alert@emc.com — https://pivotal.io/security/cve-2017-4995
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Maven | org.springframework.security:spring-security-core | >=4.2.0.RELEASE,<4.2.3.RELEASE | 4.2.3.RELEASE |
| Maven | org.springframework.security:spring-security-core | >=5.0.0.M1,<5.0.0.M2 | 5.0.0.M2 |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| vmware | spring_security | 4.2.0 | |
| vmware | spring_security | 4.2.1 | |
| vmware | spring_security | 4.2.2 | |
| vmware | spring_security | 5.0.0 | |
References
- http://www.securityfocus.com/bid/99080
- https://lists.apache.org/thread.html/4641ed8616ccc2c1fbddac2c3dc9900c96387bc226eaf0232d61909b%40%3Ccommits.cassandra.apache.org%3E
- https://lists.apache.org/thread.html/r42ac3e39e6265db12d9fc6ae1cd4b5fea7aed9830dc6f6d58228fed7%40%3Ccommits.cassandra.apache.org%3E
- https://lists.apache.org/thread.html/rf7f87810c38dc9abf9f93989f76008f504cbf7c1a355214640b2d04c%40%3Ccommits.cassandra.apache.org%3E
- https://pivotal.io/security/cve-2017-4995
- https://nvd.nist.gov/vuln/detail/CVE-2017-4995
- https://github.com/FasterXML/jackson-databind/issues/1599
- https://github.com/spring-projects/spring-security/issues/4370
- https://github.com/FasterXML/jackson-databind/commit/60d459cedcf079c6106ae7da2ac562bc32dcabe1
- https://github.com/FasterXML/jackson-databind/commit/6ce32ffd18facac6abdbbf559c817b47fcb622c
- https://lists.apache.org/thread.html/4641ed8616ccc2c1fbddac2c3dc9900c96387bc226eaf0232d61909b@%3Ccommits.cassandra.apache.org%3E
- https://lists.apache.org/thread.html/r42ac3e39e6265db12d9fc6ae1cd4b5fea7aed9830dc6f6d58228fed7@%3Ccommits.cassandra.apache.org%3E
- https://lists.apache.org/thread.html/rf7f87810c38dc9abf9f93989f76008f504cbf7c1a355214640b2d04c@%3Ccommits.cassandra.apache.org%3E
CWEs
CWE-502
Verify integrity in audit chain (admin only). AS-IS.