Can spring-web 5.3.32 fix the vulnerability CVE-2016-1000027 and release a new 5.x version? #32300
Labels
status: duplicate
A duplicate of another issue
Comments
spring-projects-issues
added
the
status: waiting-for-triage
|
Duplicates #24434 Java serialization is intrinsically unsafe, there is nothing Spring could do here to fix it. If you don't use the HttpInvoker mechanism with Java serialization, then you are not affected. If you are using HttpInvoker and the API you built is accessible by a third party, add a serialization filter to whitelist the types you need to accept. Removing HttpInvoker in 5.x would be a breaking change. If a security scanning tool brought you here and you are not affected, you should mark the CVE as a false positive. |
bclozel
added
status: duplicate
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Affects: <Spring Framework version>
If there is a vulnerability (CVE-2016-1000027) in spring-web 5.3.32, can it be fixed and a new 5.x version be released?
The text was updated successfully, but these errors were encountered: