0006039: CVE-2016-1000027 - /opt/symmetric-server/web/WEB-INF/lib/spring-web-5.3.27.jar - SymmetricDS

ID	Project	Category	View Status	Date Submitted	Last Update

0006039	SymmetricDS	Bug	public	2023-10-20 09:05	2023-10-25 17:09

Reporter	edahern	Assigned To
Priority	urgent
Status	closed	Resolution	fixed
Product Version	3.14.6
Target Version	3.15.0	Fixed in Version	3.15.0

Summary	0006039: CVE-2016-1000027 - /opt/symmetric-server/web/WEB-INF/lib/spring-web-5.3.27.jar
Description	A critical issue was found with symmetricDS and its use of spring-web 5.3.27. See details below. cve: CVE-2016-1000027 severity: critical packageName: spring-web packageType: jar packageVersion: 5.3.27 fixedVersion: 6.0.0 platforms: amd64 link: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1000027 , https://nvd.nist.gov/vuln/detail/CVE-2016-1000027 packagePath : /opt/symmetric-server/web/WEB-INF/lib/spring-web-5.3.27.jar baseLayerVulnerability: False detectedBaseImages: registry.access.redhat.com/ubi8-minimal:8.8-1072.1696517598 tags: nvd-status(modified)
Steps To Reproduce	Scan image using AquaScan or twistlock.
Additional Information	https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1000027 , https://nvd.nist.gov/vuln/detail/CVE-2016-1000027
Tags	security

Date Modified	Username	Field	Change
2023-10-20 09:05	edahern	New Issue
2023-10-20 09:05	edahern	Tag Attached: security
2023-10-25 17:08	cquamme	Note Added: 0002392
2023-10-25 17:09	cquamme	Status	new => closed
2023-10-25 17:09	cquamme	Resolution	open => fixed
2023-10-25 17:09	cquamme	Fixed in Version	=> 3.15.0

cquamme 2023-10-25 17:08 developer ~0002392	SymmetricDS 3.15.0 uses Java 17 and Spring version 6, so upgrading would get rid of this. We are also not using the vulnerable Spring classes in 3.14, so there should be no issue using 3.14, but if you want to get it off the scanner, you can upgrade to 3.15.0.