Search for packages
| purl | pkg:maven/org.springframework.security/spring-security-core@4.2 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-efx3-b7vv-nfde
Aliases: CVE-2017-4995 GHSA-vhrg-v3cv-p247 |
Deserialization of Untrusted Data When configured to enable default typing, Jackson contained a deserialization vulnerability that could lead to arbitrary code execution. which means that (through the previous exploit) arbitrary code could be executed if all of the following is true: (1) Spring Security's Jackson support is being leveraged by invoking `SecurityJackson2Modules.getModules(ClassLoader)` or `SecurityJackson2Modules.enableDefaultTyping(ObjectMapper);` (2) Jackson is used to deserialize data that is not trusted (Spring Security does not perform deserialization using Jackson, so this is an explicit choice of the user); and (3) there is an unknown (Jackson is not excluding it already) `deserialization gadget` that allows code execution present on the classpath. Jackson provides a exclusion approach to protecting against this type of attack, but Spring Security should be proactive against blocking unknown `deserialization gadgets` when Spring Security enables default typing. |
Affected by 5 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 5 other vulnerabilities. Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-06-02T04:37:22.119061+00:00 | GitLab Importer | Affected by | VCID-efx3-b7vv-nfde | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework.security/spring-security-core/CVE-2017-4995.yml | 38.6.0 |