CVE-2011-2894

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2011-2894
Spring Framework 3.0.0 through 3.0.5, Spring Security 3.0.0 through 3.0.5 and 2.0.0 through 2.0.6, and possibly other versions deserialize objects from untrusted sources, which allows remote attackers to bypass intended security restrictions and execute untrusted code by (1) serializing a java.lang.Proxy instance and using InvocationHandler, or (2) accessing internal AOP interfaces, as demonstrated using deserialization of a DefaultListableBeanFactory instance to execute arbitrary commands via the java.lang.Runtime class.

6.8 /10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 8.6 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References
Link Resource
http://osvdb.org/75263 Broken Link
http://securityreason.com/securityalert/8405 Third Party Advisory
http://www.redhat.com/support/errata/RHSA-2011-1334.html Third Party Advisory
http://www.securityfocus.com/archive/1/519593/100/0/threaded Third Party Advisory VDB Entry
http://www.securityfocus.com/bid/49536 Third Party Advisory VDB Entry
http://www.springsource.com/security/cve-2011-2894 Vendor Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/69687 Third Party Advisory VDB Entry
https://web.archive.org/web/20120307233721/http://www.springsource.com/security/cve-2011-2894
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*
cpe:2.3:a:vmware:spring_security:*:*:*:*:*:*:*:*
History

17 Jul 2022, 20:15

Type Values Removed Values Added
References
  • (MISC) https://web.archive.org/web/20120307233721/http://www.springsource.com/security/cve-2011-2894 -

21 Jun 2022, 16:46

Type Values Removed Values Added
References (BID) http://www.securityfocus.com/bid/49536 - (BID) http://www.securityfocus.com/bid/49536 - Third Party Advisory, VDB Entry
References (SREASON) http://securityreason.com/securityalert/8405 - (SREASON) http://securityreason.com/securityalert/8405 - Third Party Advisory
References (REDHAT) http://www.redhat.com/support/errata/RHSA-2011-1334.html - (REDHAT) http://www.redhat.com/support/errata/RHSA-2011-1334.html - Third Party Advisory
References (XF) https://exchange.xforce.ibmcloud.com/vulnerabilities/69687 - (XF) https://exchange.xforce.ibmcloud.com/vulnerabilities/69687 - Third Party Advisory, VDB Entry
References (OSVDB) http://osvdb.org/75263 - (OSVDB) http://osvdb.org/75263 - Broken Link
References (BUGTRAQ) http://www.securityfocus.com/archive/1/519593/100/0/threaded - (BUGTRAQ) http://www.securityfocus.com/archive/1/519593/100/0/threaded - Third Party Advisory, VDB Entry
CWE CWE-264 CWE-502
First Time Vmware spring Security
Vmware spring Framework
CPE cpe:2.3:a:vmware:springsource_spring_security:3.0.3:*:*:*:*:*:*:*
cpe:2.3:a:vmware:springsource_spring_framework:3.0.0:m1:*:*:*:*:*:*
cpe:2.3:a:vmware:springsource_spring_security:3.0.2:*:*:*:*:*:*:*
cpe:2.3:a:vmware:springsource_spring_security:2.0.2:*:*:*:*:*:*:*
cpe:2.3:a:vmware:springsource_spring_security:3.0.4:*:*:*:*:*:*:*
cpe:2.3:a:vmware:springsource_spring_security:2.0.3:*:*:*:*:*:*:*
cpe:2.3:a:vmware:springsource_spring_framework:3.0.0:rc1:*:*:*:*:*:*
cpe:2.3:a:vmware:springsource_spring_framework:3.0.0:rc2:*:*:*:*:*:*
cpe:2.3:a:vmware:springsource_spring_security:2.0.1:*:*:*:*:*:*:*
cpe:2.3:a:vmware:springsource_spring_security:2.0.4:*:*:*:*:*:*:*
cpe:2.3:a:vmware:springsource_spring_security:2.0.6:*:*:*:*:*:*:*
cpe:2.3:a:vmware:springsource_spring_framework:3.0.4:*:*:*:*:*:*:*
cpe:2.3:a:vmware:springsource_spring_framework:3.0.0:m3:*:*:*:*:*:*
cpe:2.3:a:vmware:springsource_spring_security:3.0.5:*:*:*:*:*:*:*
cpe:2.3:a:vmware:springsource_spring_framework:3.0.1:*:*:*:*:*:*:*
cpe:2.3:a:vmware:springsource_spring_framework:3.0.0:*:*:*:*:*:*:*
cpe:2.3:a:vmware:springsource_spring_framework:3.0.2:*:*:*:*:*:*:*
cpe:2.3:a:vmware:springsource_spring_security:3.0.0:*:*:*:*:*:*:*
cpe:2.3:a:vmware:springsource_spring_framework:3.0.0:m4:*:*:*:*:*:*
cpe:2.3:a:vmware:springsource_spring_framework:3.0.0:rc3:*:*:*:*:*:*
cpe:2.3:a:vmware:springsource_spring_framework:3.0.3:*:*:*:*:*:*:*
cpe:2.3:a:vmware:springsource_spring_security:2.0.0:*:*:*:*:*:*:*
cpe:2.3:a:vmware:springsource_spring_framework:3.0.5:*:*:*:*:*:*:*
cpe:2.3:a:vmware:springsource_spring_framework:3.0.0:m2:*:*:*:*:*:*
cpe:2.3:a:vmware:springsource_spring_security:3.0.1:*:*:*:*:*:*:*
cpe:2.3:a:vmware:springsource_spring_security:2.0.5:*:*:*:*:*:*:*		 cpe:2.3:a:vmware:spring_security:*:*:*:*:*:*:*:*
cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*
Information

Published : 2011-10-04 10:55

Updated : 2023-12-10 11:03

NVD link : CVE-2011-2894

Mitre link : CVE-2011-2894

CVE.ORG link : CVE-2011-2894

JSON object : View

Products Affected

vmware

  • spring_security
  • spring_framework
CWE
CWE-502

Deserialization of Untrusted Data