Critical
|
CVE |
libs |
Components |
Resolution |
Comments |
|
|---|---|---|---|---|---|
|
1 |
CVE-2016-1000027
|
Spring 5.3.25, 5.3.33 |
Shibboleth Websec, AdService Dmz |
Not affected. |
Shibboleth doesn’t use Java deserialization in any API endpoints https://www.tenable.com/security/research/tra-2016-20 This is not accepted as security issue on Spring codebase, rather an insecure setup using Java deserialization from untrusted sources. The final resolution: Verridium doesn’t use Java serialization on any API endpoints and therefore isn’t affected.
Resolution: upgrade spring to 6.0.0 up |