QwikSec

Security Database

CVE

CWE

Training

CVE-2011-2894

Published: Oct 4, 2011

Modified: Aug 6, 2024

PUBLISHED

Description

Spring Framework 3.0.0 through 3.0.5, Spring Security 3.0.0 through 3.0.5 and 2.0.0 through 2.0.6, and possibly other versions deserialize objects from untrusted sources, which allows remote attackers to bypass intended security restrictions and execute untrusted code by (1) serializing a java.lang.Proxy instance and using InvocationHandler, or (2) accessing internal AOP interfaces, as demonstrated using deserialization of a DefaultListableBeanFactory instance to execute arbitrary commands via the java.lang.Runtime class.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

http://www.springsource.com/security/cve-2011-2894

x_refsource_CONFIRM

vdb-entry

x_refsource_BID

20110909 CVE-2011-2894: Spring Framework and Spring Security serialization-based remoting vulnerabilities

mailing-list

x_refsource_BUGTRAQ

vendor-advisory

x_refsource_REDHAT

spring-framework-object-sec-bypass(69687)

vdb-entry

x_refsource_XF

third-party-advisory

x_refsource_SREASON

vdb-entry

x_refsource_OSVDB

https://web.archive.org/web/20120307233721/http://www.springsource.com/security/cve-2011-2894

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.