Description
Spring Framework 3.0.0 through 3.0.5, Spring Security 3.0.0 through 3.0.5 and 2.0.0 through 2.0.6, and possibly other versions deserialize objects from untrusted sources, which allows remote attackers to bypass intended security restrictions and execute untrusted code by (1) serializing a java.lang.Proxy instance and using InvocationHandler, or (2) accessing internal AOP interfaces, as demonstrated using deserialization of a DefaultListableBeanFactory instance to execute arbitrary commands via the java.lang.Runtime class.
Remediation
References
http://www.securityfocus.com/bid/49536
http://www.springsource.com/security/cve-2011-2894
http://osvdb.org/75263
http://www.redhat.com/support/errata/RHSA-2011-1334.html
http://securityreason.com/securityalert/8405
https://exchange.xforce.ibmcloud.com/vulnerabilities/69687
http://www.securityfocus.com/archive/1/519593/100/0/threaded
https://web.archive.org/web/20120307233721/http://www.springsource.com/security/cve-2011-2894
Related Vulnerabilities
CVE-2021-43797 Vulnerability in maven package io.netty:netty-codec-http
CVE-2019-10384 Vulnerability in maven package org.jenkins-ci.main:jenkins-core
CVE-2021-32808 Vulnerability in maven package org.webjars.npm:ckeditor4
CVE-2022-23710 Vulnerability in maven package org.elasticsearch:elasticsearch
CVE-2020-8124 Vulnerability in maven package org.webjars.npm:url-parse