CVE-2016-1000027 Pivotal Spring Framework through 5.3.27 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required.
[Spring Framework] [5.3.27] will there a patch to remove those vulnerable classes like its done on 6.0.0. Much appreciable if the patch is done on 5.3 also
Comment From: bclozel
Closing as a duplicate of #24434 and countless others. Please search for issues before creating a new one; the original issue is even pinned at the top of the issues page.
Comment From: anand188
@bclozel searched the ask it is possible to remove the vulnerability classes in 5.3.X latest release since 6.0.0 has done but its in latest JDK everybody cannot move to latest since we use old JDK is it possible to be fixed in 5.3.X latest version
Comment From: bclozel
@anand188 this has been answered and discussed multiple times already in the linked issue. Your application is not vulnerable if those classes aren't used by the application.
Comment From: anand188
@bclozel the current 5.3.X is vulnerable and not able to convince this is not an issue even though application wont use or invoke this classes it still exists .the problem is if its not used why it should exist can be removed in 5.3.X like its done in 6.0.0 right .instead justifying it wont be invoked its better to be removed that's the only ask
Comment From: bclozel
@anand188 See https://github.com/spring-projects/spring-framework/issues/24434#issuecomment-744519525