Search for packages
| purl | pkg:maven/org.springframework.security/spring-security-core@5.0.0.M1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-efx3-b7vv-nfde
Aliases: CVE-2017-4995 GHSA-vhrg-v3cv-p247 |
Deserialization of Untrusted Data When configured to enable default typing, Jackson contained a deserialization vulnerability that could lead to arbitrary code execution. which means that (through the previous exploit) arbitrary code could be executed if all of the following is true: (1) Spring Security's Jackson support is being leveraged by invoking `SecurityJackson2Modules.getModules(ClassLoader)` or `SecurityJackson2Modules.enableDefaultTyping(ObjectMapper);` (2) Jackson is used to deserialize data that is not trusted (Spring Security does not perform deserialization using Jackson, so this is an explicit choice of the user); and (3) there is an unknown (Jackson is not excluding it already) `deserialization gadget` that allows code execution present on the classpath. Jackson provides a exclusion approach to protecting against this type of attack, but Spring Security should be proactive against blocking unknown `deserialization gadgets` when Spring Security enables default typing. |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-06-04T18:02:19.137773+00:00 | GithubOSV Importer | Affected by | VCID-efx3-b7vv-nfde | https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-vhrg-v3cv-p247/GHSA-vhrg-v3cv-p247.json | 38.6.0 |
| 2026-06-02T04:37:22.128481+00:00 | GitLab Importer | Affected by | VCID-efx3-b7vv-nfde | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework.security/spring-security-core/CVE-2017-4995.yml | 38.6.0 |