VYPR
Moderate severityNVD Advisory· Published Oct 4, 2011· Updated Jun 16, 2026

CVE-2011-2894

CVE-2011-2894

Description

Spring Framework 3.0.0 through 3.0.5, Spring Security 3.0.0 through 3.0.5 and 2.0.0 through 2.0.6, and possibly other versions deserialize objects from untrusted sources, which allows remote attackers to bypass intended security restrictions and execute untrusted code by (1) serializing a java.lang.Proxy instance and using InvocationHandler, or (2) accessing internal AOP interfaces, as demonstrated using deserialization of a DefaultListableBeanFactory instance to execute arbitrary commands via the java.lang.Runtime class.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.springframework:spring-coreMaven
>= 3.0.0, < 3.0.63.0.6
org.springframework.security:spring-security-coreMaven
>= 3.0.0, < 3.0.63.0.6
org.springframework.security:spring-security-coreMaven
>= 2.0.0, < 2.0.72.0.7

Affected products

4

Patches

Vulnerability mechanics

References

11

News mentions

0

No linked articles in our index yet.