cve/2016/CVE-2016-1000027.md

### [CVE-2016-1000027](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000027)
![](https://img.shields.io/static/v1?label=Product&message=n%2Fa&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=n%2Fa&color=blue)
![](https://img.shields.io/static/v1?label=Vulnerability&message=n%2Fa&color=brighgreen)

### Description

Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.

### POC

#### Reference
No PoCs from references.

#### Github
- https://github.com/ACIS-Chindanai/vahom
- https://github.com/ARPSyndicate/cvemon
- https://github.com/IkerSaint/VULNAPP-vulnerable-app
- https://github.com/Live-Hack-CVE/CVE-2016-1000
- https://github.com/Live-Hack-CVE/CVE-2016-1000027
- https://github.com/NicheToolkit/rest-toolkit
- https://github.com/OSCKOREA-WORKSHOP/NEXUS-Firewall
- https://github.com/OWASP/www-project-ide-vulscanner
- https://github.com/PalindromeLabs/Java-Deserialization-CVEs
- https://github.com/artem-smotrakov/cve-2016-1000027-poc
- https://github.com/au-abd/python-stuff
- https://github.com/au-abddakkak/python-stuff
- https://github.com/brunorozendo/simple-app
- https://github.com/cezapata/appconfiguration-sample
- https://github.com/checktor/quality-assurance-parent
- https://github.com/ckatzorke/owasp-suppression
- https://github.com/fernandoreb/dependency-check-springboot
- https://github.com/glenhunter/test-sab3
- https://github.com/hepaces89/httpInvokerServiceExporterRCE
- https://github.com/junxiant/xnat-aws-monailabel
- https://github.com/pctF/vulnerable-app
- https://github.com/scordero1234/java_sec_demo-main
- https://github.com/sr-monika/sprint-rest
- https://github.com/tina94happy/Spring-Web-5xx-Mitigated-version
- https://github.com/wtaxco/wtax-build-support
- https://github.com/yangliu138/container-cicd-demo
- https://github.com/yihtserns/spring-web-without-remoting
Update Sun May 26 14:27:04 CEST 2024 2024-05-26 14:27:05 +02:00			`### [CVE-2016-1000027](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000027)`
			`![](https://img.shields.io/static/v1?label=Product&message=n%2Fa&color=blue)`
			`![](https://img.shields.io/static/v1?label=Version&message=n%2Fa&color=blue)`
			`![](https://img.shields.io/static/v1?label=Vulnerability&message=n%2Fa&color=brighgreen)`

			`### Description`

			`Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.`

			`### POC`

			`#### Reference`
			`No PoCs from references.`

			`#### Github`
			`- https://github.com/ACIS-Chindanai/vahom`
			`- https://github.com/ARPSyndicate/cvemon`
			`- https://github.com/IkerSaint/VULNAPP-vulnerable-app`
			`- https://github.com/Live-Hack-CVE/CVE-2016-1000`
			`- https://github.com/Live-Hack-CVE/CVE-2016-1000027`
			`- https://github.com/NicheToolkit/rest-toolkit`
			`- https://github.com/OSCKOREA-WORKSHOP/NEXUS-Firewall`
			`- https://github.com/OWASP/www-project-ide-vulscanner`
			`- https://github.com/PalindromeLabs/Java-Deserialization-CVEs`
			`- https://github.com/artem-smotrakov/cve-2016-1000027-poc`
			`- https://github.com/au-abd/python-stuff`
			`- https://github.com/au-abddakkak/python-stuff`
			`- https://github.com/brunorozendo/simple-app`
			`- https://github.com/cezapata/appconfiguration-sample`
			`- https://github.com/checktor/quality-assurance-parent`
			`- https://github.com/ckatzorke/owasp-suppression`
			`- https://github.com/fernandoreb/dependency-check-springboot`
			`- https://github.com/glenhunter/test-sab3`
			`- https://github.com/hepaces89/httpInvokerServiceExporterRCE`
			`- https://github.com/junxiant/xnat-aws-monailabel`
			`- https://github.com/pctF/vulnerable-app`
			`- https://github.com/scordero1234/java_sec_demo-main`
			`- https://github.com/sr-monika/sprint-rest`
			`- https://github.com/tina94happy/Spring-Web-5xx-Mitigated-version`
			`- https://github.com/wtaxco/wtax-build-support`
			`- https://github.com/yangliu138/container-cicd-demo`
			`- https://github.com/yihtserns/spring-web-without-remoting`