Joe Lam ( https://osgeo-org.atlassian.net/secure/ViewProfile.jspa?accountId=6390cf0ffde064eda2f27535 ) *created* an issue
GeoServer ( https://osgeo-org.atlassian.net/browse/GEOS?atlOrigin=eyJpIjoiZTU4NGRlZGUyNjE0NDVlZmIxNTgwYzc0ZGI3NGUyYWUiLCJwIjoiaiJ9 ) / Bug ( https://osgeo-org.atlassian.net/browse/GEOS-10772?atlOrigin=eyJpIjoiZTU4NGRlZGUyNjE0NDVlZmIxNTgwYzc0ZGI3NGUyYWUiLCJwIjoiaiJ9 ) GEOS-10772 ( https://osgeo-org.atlassian.net/browse/GEOS-10772?atlOrigin=eyJpIjoiZTU4NGRlZGUyNjE0NDVlZmIxNTgwYzc0ZGI3NGUyYWUiLCJwIjoiaiJ9 ) Spring Core RCE Vulnerability CVE-2016-1000027 ( https://osgeo-org.atlassian.net/browse/GEOS-10772?atlOrigin=eyJpIjoiZTU4NGRlZGUyNjE0NDVlZmIxNTgwYzc0ZGI3NGUyYWUiLCJwIjoiaiJ9 ) Issue Type: Bug Affects Versions: 2.22.0 Assignee: Unassigned Created: 07/Dec/22 6:46 PM Priority: High Reporter: Joe Lam ( https://osgeo-org.atlassian.net/secure/ViewProfile.jspa?accountId=6390cf0ffde064eda2f27535 ) https://nvd.nist.gov/vuln/detail/CVE-2016-1000027 ( https://nvd.nist.gov/vuln/detail/CVE-2016-1000027 ) Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data. ( https://osgeo-org.atlassian.net/browse/GEOS-10772#add-comment?atlOrigin=eyJpIjoiZTU4NGRlZGUyNjE0NDVlZmIxNTgwYzc0ZGI3NGUyYWUiLCJwIjoiaiJ9 ) Add Comment ( https://osgeo-org.atlassian.net/browse/GEOS-10772#add-comment?atlOrigin=eyJpIjoiZTU4NGRlZGUyNjE0NDVlZmIxNTgwYzc0ZGI3NGUyYWUiLCJwIjoiaiJ9 ) Get Jira notifications on your phone! Download the Jira Cloud app for Android ( https://play.google.com/store/apps/details?id=com.atlassian.android.jira.core&referrer=utm_source%3DNotificationLink%26utm_medium%3DEmail ) or iOS ( https://itunes.apple.com/app/apple-store/id1006972087?pt=696495&ct=EmailNotificationLink&mt=8 ) This message was sent by Atlassian Jira (v1001.0.0-SNAPSHOT#100212- sha1:e499055 )
_______________________________________________ Geoserver-devel mailing list Geoserver-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-devel