CVE-2017-4995

Name of the Vulnerable Software and Affected Versions Pivotal Spring Security versions 4.2.0.RELEASE through 4.2.2.RELEASE Spring Security version 5.0.0.M1

Description An issue was discovered in Spring Security when configured to enable default typing, which could lead to arbitrary code execution due to a deserialization vulnerability in Jackson. This vulnerability can be exploited if Spring Security's Jackson support is being used to deserialize untrusted data and there is an unknown "deserialization gadget" present on the classpath that allows code execution. The vulnerability relies on the presence of such a gadget not already blacklisted by Jackson.

Recommendations For Pivotal Spring Security versions 4.2.0.RELEASE through 4.2.2.RELEASE, consider disabling the default typing feature in Jackson to prevent deserialization vulnerabilities. For Spring Security version 5.0.0.M1, avoid using SecurityJackson2Modules.getModules(ClassLoader) or SecurityJackson2Modules.enableDefaultTyping(ObjectMapper) when deserializing untrusted data. As a temporary workaround, consider restricting the use of Jackson for deserializing data to trusted sources only, until a more comprehensive fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.