CVE-2011-2894 — MEDIUM (6.8)

Q: How severe is CVE-2011-2894?

CVE-2011-2894 has been rated MEDIUM with a CVSS base score of 6.8/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2011-2894?

Check the references section above for vendor advisories and patch information. Affected products include: Vmware Spring Framework, Vmware Spring Security.

Vulnerability Description

Spring Framework 3.0.0 through 3.0.5, Spring Security 3.0.0 through 3.0.5 and 2.0.0 through 2.0.6, and possibly other versions deserialize objects from untrusted sources, which allows remote attackers to bypass intended security restrictions and execute untrusted code by (1) serializing a java.lang.Proxy instance and using InvocationHandler, or (2) accessing internal AOP interfaces, as demonstrated using deserialization of a DefaultListableBeanFactory instance to execute arbitrary commands via the java.lang.Runtime class.

CVSS Score

6.8

MEDIUM

AV:N/AC:M/Au:N/C:P/I:P/A:P

Confidentiality

PARTIAL

Integrity

PARTIAL

Availability

PARTIAL

Affected Products

Vendor	Product	Versions
Vmware	Spring Framework	>= 3.0.0, <= 3.0.5
Vmware	Spring Security	>= 2.0.0, <= 2.0.6

Related Weaknesses (CWE)

CWE-502

References

http://osvdb.org/75263Broken Link
http://securityreason.com/securityalert/8405Third Party Advisory
http://www.redhat.com/support/errata/RHSA-2011-1334.htmlThird Party Advisory
http://www.securityfocus.com/archive/1/519593/100/0/threadedThird Party AdvisoryVDB Entry
http://www.securityfocus.com/bid/49536Third Party AdvisoryVDB Entry
http://www.springsource.com/security/cve-2011-2894Vendor Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/69687Third Party AdvisoryVDB Entry
https://web.archive.org/web/20120307233721/http://www.springsource.com/security/
http://osvdb.org/75263Broken Link
http://securityreason.com/securityalert/8405Third Party Advisory
http://www.redhat.com/support/errata/RHSA-2011-1334.htmlThird Party Advisory
http://www.securityfocus.com/archive/1/519593/100/0/threadedThird Party AdvisoryVDB Entry
http://www.securityfocus.com/bid/49536Third Party AdvisoryVDB Entry
http://www.springsource.com/security/cve-2011-2894Vendor Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/69687Third Party AdvisoryVDB Entry

FAQ

What is CVE-2011-2894?

CVE-2011-2894 is a vulnerability with a CVSS score of 6.8 (MEDIUM). Spring Framework 3.0.0 through 3.0.5, Spring Security 3.0.0 through 3.0.5 and 2.0.0 through 2.0.6, and possibly other versions deserialize objects from untrusted sources, which allows remote attackers...

How severe is CVE-2011-2894?

CVE-2011-2894 has been rated MEDIUM with a CVSS base score of 6.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2011-2894?

Check the references section above for vendor advisories and patch information. Affected products include: Vmware Spring Framework, Vmware Spring Security.