Access Restriction Bypass Affecting org.springframework.security:spring-security-core package, versions [2.0.0.RELEASE,2.0.7.RELEASE) [3.0.0.RELEASE,3.0.6.RELEASE)
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-31340
- published 8 Sep 2014
- disclosed 4 Oct 2011
- credit Wouter Coekaerts
Introduced: 4 Oct 2011
CVE-2011-2894 Open this link in a new tabHow to fix?
Upgrade org.springframework.security:spring-security-core to version 2.0.7.RELEASE, 3.0.6.RELEASE or higher.
Overview
org.springframework.security:spring-security-core is a package that provides security services for the Spring IO Platform.
Affected versions of this package are vulnerable to Access Restriction Bypass. Remote attackers can bypass intended security restrictions and execute untrusted code by (1) serializing a java.lang.Proxy instance and using InvocationHandler, or (2) accessing internal AOP interfaces, as demonstrated using deserialization of a DefaultListableBeanFactory instance to execute arbitrary commands via the java.lang.Runtime class.