Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2016-1000027 in Spring-Web #181

Closed
qligier opened this issue Jan 24, 2024 · 3 comments
Closed

CVE-2016-1000027 in Spring-Web #181

qligier opened this issue Jan 24, 2024 · 3 comments
Labels
security About security

Comments

@qligier
Copy link
Member

qligier commented Jan 24, 2024

Package: org.springframework:spring-web
Installed Version: 5.3.27
Vulnerability CVE-2016-1000027
Severity: CRITICAL
Fixed Version: 6.0.0
Link: CVE-2016-1000027
@qligier qligier added the security About security label Jan 24, 2024
@qligier qligier self-assigned this Jan 24, 2024
@qligier
Copy link
Member Author

qligier commented Jan 24, 2024

spring-projects/spring-framework#24434 (comment)

TL;DR: this is an old CVE, the information is still relevant and it can't be "fixed" in Spring Framework since it's about avoiding to expose HTTP Invoker endpoints to untrusted clients - there's been an official warning about this in our documentation for years now.

spring-projects/spring-framework#24434 (comment)

Having said that it can be used as a reminder to check that there are no HTTP Invoker endpoints exposed to untrusted clients. If there are none, then nothing further to do.

spring-projects/spring-framework#24434 (comment)

I guess that tools like NexusIQ aren't doing static code analysis but rather just looking at the dependency graph - otherwise they wouldn't flag your application: looking for HTTPInvokerServiceExporter or RemoteInvocationSerializingExporter usage in the application code would be an easy way to prevent most false positives.

We don't use HTTPInvokerServiceExporter or RemoteInvocationSerializingExporter in Matchbox.

This will be fixed by upgrading to v6.

@qligier qligier removed their assignment Jan 24, 2024
@oliveregger
Copy link
Member

we need also to look at the medium issues for the next release

@qligier
Copy link
Member Author

qligier commented Feb 27, 2024

Done in 5f29a52

@qligier qligier closed this as completed Feb 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security About security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@oliveregger @qligier