Django REST framework

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

Vulnerability_idVCID-xdnd-ar9s-afd8
SummaryAn issue was discovered in Pivotal Spring Security 4.2.0.RELEASE through 4.2.2.RELEASE, and Spring Security 5.0.0.M1. When configured to enable default typing, Jackson contained a deserialization vulnerability that could lead to arbitrary code execution. Jackson fixed this vulnerability by blacklisting known "deserialization gadgets." Spring Security configures Jackson with global default typing enabled, which means that (through the previous exploit) arbitrary code could be executed if all of the following is true: (1) Spring Security's Jackson support is being leveraged by invoking SecurityJackson2Modules.getModules(ClassLoader) or SecurityJackson2Modules.enableDefaultTyping(ObjectMapper); (2) Jackson is used to deserialize data that is not trusted (Spring Security does not perform deserialization using Jackson, so this is an explicit choice of the user); and (3) there is an unknown (Jackson is not blacklisting it already) "deserialization gadget" that allows code execution present on the classpath. Jackson provides a blacklisting approach to protecting against this type of attack, but Spring Security should be proactive against blocking unknown "deserialization gadgets" when Spring Security enables default typing.
Aliases
0
alias CVE-2017-4995
1
alias GHSA-vhrg-v3cv-p247
Fixed_packages
0
url pkg:maven/org.springframework.security/spring-security-core@4.2.2.RELEASE
purl pkg:maven/org.springframework.security/spring-security-core@4.2.2.RELEASE
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-cden-3spy-pyhz
1
vulnerability VCID-dwcq-d6nf-1ubn
2
vulnerability VCID-f3g5-hamr-6yar
3
vulnerability VCID-hedq-eav6-4fee
4
vulnerability VCID-pz7c-p4ze-kfhc
5
vulnerability VCID-qpxj-fzta-v7bs
6
vulnerability VCID-u6vb-w2bu-ykfk
7
vulnerability VCID-xdnd-ar9s-afd8
8
vulnerability VCID-yeaf-ta2h-p7c1
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@4.2.2.RELEASE
1
url pkg:maven/org.springframework.security/spring-security-core@4.2.3.RELEASE
purl pkg:maven/org.springframework.security/spring-security-core@4.2.3.RELEASE
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-cden-3spy-pyhz
1
vulnerability VCID-dwcq-d6nf-1ubn
2
vulnerability VCID-f3g5-hamr-6yar
3
vulnerability VCID-hedq-eav6-4fee
4
vulnerability VCID-pz7c-p4ze-kfhc
5
vulnerability VCID-qpxj-fzta-v7bs
6
vulnerability VCID-u6vb-w2bu-ykfk
7
vulnerability VCID-yeaf-ta2h-p7c1
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@4.2.3.RELEASE
Affected_packages
0
url pkg:maven/org.springframework.security/spring-security-core@4.2
purl pkg:maven/org.springframework.security/spring-security-core@4.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-xdnd-ar9s-afd8
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@4.2
1
url pkg:maven/org.springframework.security/spring-security-core@4.2.0.RELEASE
purl pkg:maven/org.springframework.security/spring-security-core@4.2.0.RELEASE
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-cden-3spy-pyhz
1
vulnerability VCID-deuk-emca-3kgr
2
vulnerability VCID-dwcq-d6nf-1ubn
3
vulnerability VCID-f3g5-hamr-6yar
4
vulnerability VCID-hedq-eav6-4fee
5
vulnerability VCID-pz7c-p4ze-kfhc
6
vulnerability VCID-qpxj-fzta-v7bs
7
vulnerability VCID-u6vb-w2bu-ykfk
8
vulnerability VCID-xdnd-ar9s-afd8
9
vulnerability VCID-yeaf-ta2h-p7c1
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@4.2.0.RELEASE
2
url pkg:maven/org.springframework.security/spring-security-core@4.2.1.RELEASE
purl pkg:maven/org.springframework.security/spring-security-core@4.2.1.RELEASE
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-cden-3spy-pyhz
1
vulnerability VCID-dwcq-d6nf-1ubn
2
vulnerability VCID-f3g5-hamr-6yar
3
vulnerability VCID-hedq-eav6-4fee
4
vulnerability VCID-pz7c-p4ze-kfhc
5
vulnerability VCID-qpxj-fzta-v7bs
6
vulnerability VCID-u6vb-w2bu-ykfk
7
vulnerability VCID-xdnd-ar9s-afd8
8
vulnerability VCID-yeaf-ta2h-p7c1
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@4.2.1.RELEASE
3
url pkg:maven/org.springframework.security/spring-security-core@4.2.2
purl pkg:maven/org.springframework.security/spring-security-core@4.2.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-xdnd-ar9s-afd8
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@4.2.2
4
url pkg:maven/org.springframework.security/spring-security-core@4.2.2.RELEASE
purl pkg:maven/org.springframework.security/spring-security-core@4.2.2.RELEASE
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-cden-3spy-pyhz
1
vulnerability VCID-dwcq-d6nf-1ubn
2
vulnerability VCID-f3g5-hamr-6yar
3
vulnerability VCID-hedq-eav6-4fee
4
vulnerability VCID-pz7c-p4ze-kfhc
5
vulnerability VCID-qpxj-fzta-v7bs
6
vulnerability VCID-u6vb-w2bu-ykfk
7
vulnerability VCID-xdnd-ar9s-afd8
8
vulnerability VCID-yeaf-ta2h-p7c1
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@4.2.2.RELEASE
5
url pkg:maven/org.springframework.security/spring-security-core@5.0.0.M1
purl pkg:maven/org.springframework.security/spring-security-core@5.0.0.M1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-xdnd-ar9s-afd8
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@5.0.0.M1
References
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-4995.json
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-4995.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2017-4995
reference_id
reference_type
scores
0
value 0.00826
scoring_system epss
scoring_elements 0.74507
published_at 2026-04-18T12:55:00Z
1
value 0.00826
scoring_system epss
scoring_elements 0.74471
published_at 2026-04-12T12:55:00Z
2
value 0.00826
scoring_system epss
scoring_elements 0.74499
published_at 2026-04-16T12:55:00Z
3
value 0.00826
scoring_system epss
scoring_elements 0.74462
published_at 2026-04-13T12:55:00Z
4
value 0.00826
scoring_system epss
scoring_elements 0.74413
published_at 2026-04-01T12:55:00Z
5
value 0.00826
scoring_system epss
scoring_elements 0.74417
published_at 2026-04-02T12:55:00Z
6
value 0.00826
scoring_system epss
scoring_elements 0.74444
published_at 2026-04-04T12:55:00Z
7
value 0.00826
scoring_system epss
scoring_elements 0.74418
published_at 2026-04-07T12:55:00Z
8
value 0.00826
scoring_system epss
scoring_elements 0.74451
published_at 2026-04-08T12:55:00Z
9
value 0.00826
scoring_system epss
scoring_elements 0.74468
published_at 2026-04-09T12:55:00Z
10
value 0.00826
scoring_system epss
scoring_elements 0.7449
published_at 2026-04-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2017-4995
2
reference_url https://github.com/FasterXML/jackson-databind/commit/60d459cedcf079c6106ae7da2ac562bc32dcabe1
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/FasterXML/jackson-databind/commit/60d459cedcf079c6106ae7da2ac562bc32dcabe1
3
reference_url https://github.com/FasterXML/jackson-databind/commit/6ce32ffd18facac6abdbbf559c817b47fcb622c
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/FasterXML/jackson-databind/commit/6ce32ffd18facac6abdbbf559c817b47fcb622c
4
reference_url https://github.com/FasterXML/jackson-databind/issues/1599
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/FasterXML/jackson-databind/issues/1599
5
reference_url https://github.com/spring-projects/spring-security/commit/5dee8534cd1b92952d10cc56335b5d5856f48f3b
reference_id
reference_type
scores
url https://github.com/spring-projects/spring-security/commit/5dee8534cd1b92952d10cc56335b5d5856f48f3b
6
reference_url https://github.com/spring-projects/spring-security/commit/947d11f433b78294942cb5ea56e8aa5c3a0ca43
reference_id
reference_type
scores
url https://github.com/spring-projects/spring-security/commit/947d11f433b78294942cb5ea56e8aa5c3a0ca43
7
reference_url https://github.com/spring-projects/spring-security/issues/4370
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/spring-projects/spring-security/issues/4370
8
reference_url https://lists.apache.org/thread.html/4641ed8616ccc2c1fbddac2c3dc9900c96387bc226eaf0232d61909b@%3Ccommits.cassandra.apache.org%3E
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread.html/4641ed8616ccc2c1fbddac2c3dc9900c96387bc226eaf0232d61909b@%3Ccommits.cassandra.apache.org%3E
9
reference_url https://lists.apache.org/thread.html/4641ed8616ccc2c1fbddac2c3dc9900c96387bc226eaf0232d61909b%40%3Ccommits.cassandra.apache.org%3E
reference_id
reference_type
scores
url https://lists.apache.org/thread.html/4641ed8616ccc2c1fbddac2c3dc9900c96387bc226eaf0232d61909b%40%3Ccommits.cassandra.apache.org%3E
10
reference_url https://lists.apache.org/thread.html/r42ac3e39e6265db12d9fc6ae1cd4b5fea7aed9830dc6f6d58228fed7@%3Ccommits.cassandra.apache.org%3E
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread.html/r42ac3e39e6265db12d9fc6ae1cd4b5fea7aed9830dc6f6d58228fed7@%3Ccommits.cassandra.apache.org%3E
11
reference_url https://lists.apache.org/thread.html/r42ac3e39e6265db12d9fc6ae1cd4b5fea7aed9830dc6f6d58228fed7%40%3Ccommits.cassandra.apache.org%3E
reference_id
reference_type
scores
url https://lists.apache.org/thread.html/r42ac3e39e6265db12d9fc6ae1cd4b5fea7aed9830dc6f6d58228fed7%40%3Ccommits.cassandra.apache.org%3E
12
reference_url https://lists.apache.org/thread.html/rf7f87810c38dc9abf9f93989f76008f504cbf7c1a355214640b2d04c@%3Ccommits.cassandra.apache.org%3E
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread.html/rf7f87810c38dc9abf9f93989f76008f504cbf7c1a355214640b2d04c@%3Ccommits.cassandra.apache.org%3E
13
reference_url https://lists.apache.org/thread.html/rf7f87810c38dc9abf9f93989f76008f504cbf7c1a355214640b2d04c%40%3Ccommits.cassandra.apache.org%3E
reference_id
reference_type
scores
url https://lists.apache.org/thread.html/rf7f87810c38dc9abf9f93989f76008f504cbf7c1a355214640b2d04c%40%3Ccommits.cassandra.apache.org%3E
14
reference_url http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-4995
reference_id
reference_type
scores
url http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-4995
15
reference_url http://www.securityfocus.com/bid/99080
reference_id
reference_type
scores
url http://www.securityfocus.com/bid/99080
16
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1499182
reference_id 1499182
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1499182
17
reference_url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:vmware:spring_security:4.2.0:release:*:*:*:*:*:*
reference_id cpe:2.3:a:vmware:spring_security:4.2.0:release:*:*:*:*:*:*
reference_type
scores
url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:vmware:spring_security:4.2.0:release:*:*:*:*:*:*
18
reference_url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:vmware:spring_security:4.2.1:release:*:*:*:*:*:*
reference_id cpe:2.3:a:vmware:spring_security:4.2.1:release:*:*:*:*:*:*
reference_type
scores
url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:vmware:spring_security:4.2.1:release:*:*:*:*:*:*
19
reference_url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:vmware:spring_security:4.2.2:release:*:*:*:*:*:*
reference_id cpe:2.3:a:vmware:spring_security:4.2.2:release:*:*:*:*:*:*
reference_type
scores
url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:vmware:spring_security:4.2.2:release:*:*:*:*:*:*
20
reference_url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:vmware:spring_security:5.0.0:m1:*:*:*:*:*:*
reference_id cpe:2.3:a:vmware:spring_security:5.0.0:m1:*:*:*:*:*:*
reference_type
scores
url https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:vmware:spring_security:5.0.0:m1:*:*:*:*:*:*
21
reference_url https://nvd.nist.gov/vuln/detail/CVE-2017-4995
reference_id CVE-2017-4995
reference_type
scores
0
value 6.8
scoring_system cvssv2
scoring_elements AV:N/AC:M/Au:N/C:P/I:P/A:P
1
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2017-4995
22
reference_url https://pivotal.io/security/cve-2017-4995
reference_id CVE-2017-4995
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://pivotal.io/security/cve-2017-4995
23
reference_url https://github.com/advisories/GHSA-vhrg-v3cv-p247
reference_id GHSA-vhrg-v3cv-p247
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-vhrg-v3cv-p247
Weaknesses
0
cwe_id 1035
name OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.
1
cwe_id 502
name Deserialization of Untrusted Data
description The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
2
cwe_id 937
name OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.
Exploits
Severity_range_score6.8 - 8.9
Exploitability0.5
Weighted_severity8.0
Risk_score4.0
Resource_urlhttp://public2.vulnerablecode.io/vulnerabilities/VCID-xdnd-ar9s-afd8