Skip to content
Medium Published: Oct 04, 2011 Modified: Apr 11, 2025

CVE-2011-2894

6.8 CVSS Score Medium
Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P
Export CVE-2011-2894 Data:
Share:
Link copied!

Description

Spring Framework 3.0.0 through 3.0.5, Spring Security 3.0.0 through 3.0.5 and 2.0.0 through 2.0.6, and possibly other versions deserialize objects from untrusted sources, which allows remote attackers to bypass intended security restrictions and execute untrusted code by (1) serializing a java.lang.Proxy instance and using InvocationHandler, or (2) accessing internal AOP interfaces, as demonstrated using deserialization of a DefaultListableBeanFactory instance to execute arbitrary commands via the java.lang.Runtime class.

CVSS Vector Details

Attack Vector Network
Attack Complexity M
Confidentiality P
Integrity P
Availability P

Affected Software Configurations

  • a vmware spring_framework * * * * * * * *
  • a vmware spring_security * * * * * * * *

Weaknesses (CWE)

  • CWE-502

References & External Links

External Resources

NVD Official Record Exploit-DB Search Exploits CVE Details Statistics GitHub PoC / Tools X / Twitter Discussions Google Search More

Related Vulnerabilities

CVE-2003-0791 CVSS 9.8 Same weakness: CWE-502 CVE-2007-1701 CVSS 0 Same weakness: CWE-502 CVE-2010-3258 CVSS 0 Same weakness: CWE-502 CVE-2010-4574 CVSS 0 Same weakness: CWE-502 CVE-2011-2520 CVSS 7.8 Same weakness: CWE-502

CVE History Timeline

Oct 04, 2011 16:46 Initial Analysis
Aug 29, 2017 01:29 CVE Modified
Oct 09, 2018 19:33 CVE Modified
Jun 21, 2022 16:46 Modified Analysis
Jul 17, 2022 20:15 CVE Modified
May 14, 2024 02:32 CVE Modified
Nov 21, 2024 01:29 CVE Modified
← Back to CVE Tracker