You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Affects: <Spring Framework version>
If there is a vulnerability (CVE-2016-1000027) in spring-web 5.3.32, can it be fixed and a new 5.x version be released?
The text was updated successfully, but these errors were encountered:
Java serialization is intrinsically unsafe, there is nothing Spring could do here to fix it. If you don't use the HttpInvoker mechanism with Java serialization, then you are not affected. If you are using HttpInvoker and the API you built is accessible by a third party, add a serialization filter to whitelist the types you need to accept.
Removing HttpInvoker in 5.x would be a breaking change. If a security scanning tool brought you here and you are not affected, you should mark the CVE as a false positive.
Affects: <Spring Framework version>
If there is a vulnerability (CVE-2016-1000027) in spring-web 5.3.32, can it be fixed and a new 5.x version be released?
The text was updated successfully, but these errors were encountered: