it confuse me a very long time, Java deserialization appears in everywhere in every framework, so why only HttpInvoker hits the CVE-2016-1000027 and got a 9.8 score?
Comment From: JanStureNielsen
@chaoszcy -- have you reviewed the Spring Security Policy? It appears to answer the Spring-specific portion of your deserialization question...
Comment From: chaoszcy
@chaoszcy -- have you reviewed the Spring Security Policy? It appears to answer the Spring-specific portion of your deserialization question...
Thanks for your reply, but i dont want to report vulnerabilities nor looking for some fix plan. i just curious about how CVE-2016-1000027 happened. In my understanding, if "Java deserialization from a untrusted source" is classified as unsafety behavior, there should be countless CVEs about it, but I dont see so many reports. So is there any other reason makes HttpInvoker shotted by CVE-2016-1000027?
Comment From: bclozel
See https://github.com/spring-projects/spring-framework/issues/24434#issuecomment-744519525