CVE-2016-1000027

Unsafe Java deserialization methods in Spring Security

The issue in CVE-2016-1000027 requires one to use specific classes in the spring library that Rundeck/Runbook Automation doesn’t actually use. The solution not vulnerable to the problems with that library.

There is not currently a fix for this on the current Spring 5.x framework. Once we are able to update to the next version of Grails we will be able use Spring 6 to address scanners finding this.