7.3
CVE-2026-40993
- EPSS 0.2%
- Veröffentlicht 09.06.2026 23:46:39
- Zuletzt bearbeitet 27.06.2026 22:16:46
- Quelle security@vmware.com
- CVE-Watchlists
- Unerledigt
Unfiltered Java Native Deserialization of SAML 2.0 Asserting Party Credentials BLOB Database Entry
An attacker with write permissions to the database table managed by JdbcAssertingPartyMetadataRepository (saml2_asserting_party_metadata) may be able to store malicious serialized payloads in the columns containing the collection of verification or encryption credentials (verification_credentials and encryption_credentials, respectively). Affected versions: Spring Security 7.0.0 through 7.0.5.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
VMware ≫ Spring Security Version >= 7.0.0 < 7.0.6
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.2% | 0.096 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.2 | 1.2 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
|
| security@vmware.com | 7.3 | 1 | 5.8 |
CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:H
|
CWE-502 Deserialization of Untrusted Data
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
https://spring.io/security/cve-2026-40993