#23690 – CVE-2010-1622: Spring Framework execution of arbitrary code

Bug 23690 - CVE-2010-1622: Spring Framework execution of arbitrary code

Summary: CVE-2010-1622: Spring Framework execution of arbitrary code

Status:	CLOSED FIXED

Alias:	None

Product:	Sisyphus
Classification:	Development
Component:	spring2 (show other bugs)
Version:	unstable
Hardware:	all Linux

Importance:	P3 major
Assignee:	viy
QA Contact:	qa-sisyphus

URL:
Keywords:	security

Depends on:
Blocks:

Reported:	2010-06-29 07:42 MSD by Slava Semushin
Modified:	2010-09-28 14:14 MSD (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Slava Semushin 2010-06-29 07:42:37 MSD

The Spring Framework provides a mechanism to use client provided data to update the properties of an object. This mechanism allows an attacker to modify the properties of the class loader used to load the object (via 'class.classloader'). This can lead to arbitrary command execution since, for example, an attacker can modify the URLs used by the class loader to point to locations controlled by the attacker.

http://www.springsource.com/security/cve-2010-1622

Comment 1 Repository Robot 2010-09-28 14:14:07 MSD

spring2-0:2.5.6-alt2_6.SEC02jpp6 -> sisyphus:

* Tue Sep 28 2010 Igor Vlasenko <viy@altlinux> 0:2.5.6-alt2_6.SEC02jpp6
- new bugfix release SEC02 (closes: #23690)

* Tue Sep 28 2010 Igor Vlasenko <viy@altlinux> 0:2.5.6-alt2_6.SEC01jpp6
- new bugfix release SEC01