VulnerableCode Package Details - pkg:deb/debian/libspring-java@4.3.19-1?distro=trixie

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-4sj2-j914-9yfb	Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.	CVE-2018-1270 GHSA-p5hg-3xm3-gcjg
VCID-bpme-zq57-4uh7	Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack.	CVE-2018-1257 GHSA-rcpf-vj53-7h2m
VCID-mqnn-spsw-8fg5	Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests.	CVE-2018-11040 GHSA-f26x-pr96-vw86
VCID-pb7f-yasx-17ag	Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.	CVE-2018-1272 GHSA-4487-x383-qpph
VCID-tu1q-zbk1-hbdm	Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.	CVE-2018-11039 GHSA-9gcm-f4x3-8jpw

Vulnerability

Summary

Aliases

VCID-4sj2-j914-9yfb

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.

CVE-2018-1270
GHSA-p5hg-3xm3-gcjg

VCID-bpme-zq57-4uh7

Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack.

CVE-2018-1257
GHSA-rcpf-vj53-7h2m

VCID-mqnn-spsw-8fg5

Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests.

CVE-2018-11040
GHSA-f26x-pr96-vw86

VCID-pb7f-yasx-17ag

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.

CVE-2018-1272
GHSA-4487-x383-qpph

VCID-tu1q-zbk1-hbdm

Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.

CVE-2018-11039
GHSA-9gcm-f4x3-8jpw

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T12:08:31.443847+00:00	Debian Importer	Fixing	VCID-4sj2-j914-9yfb	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T11:10:18.784041+00:00	Debian Importer	Fixing	VCID-pb7f-yasx-17ag	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T10:20:09.509086+00:00	Debian Importer	Fixing	VCID-tu1q-zbk1-hbdm	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T10:15:10.023746+00:00	Debian Importer	Fixing	VCID-bpme-zq57-4uh7	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T09:09:49.010077+00:00	Debian Importer	Fixing	VCID-mqnn-spsw-8fg5	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-13T08:18:05.604206+00:00	Debian Importer	Fixing	VCID-4sj2-j914-9yfb	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T07:35:35.195910+00:00	Debian Importer	Fixing	VCID-pb7f-yasx-17ag	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T06:57:32.935706+00:00	Debian Importer	Fixing	VCID-tu1q-zbk1-hbdm	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T06:53:46.202141+00:00	Debian Importer	Fixing	VCID-bpme-zq57-4uh7	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-11T18:08:03.496959+00:00	Debian Importer	Fixing	VCID-mqnn-spsw-8fg5	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-03T07:29:41.597827+00:00	Debian Importer	Fixing	VCID-pb7f-yasx-17ag	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:29:41.508420+00:00	Debian Importer	Fixing	VCID-4sj2-j914-9yfb	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:29:41.464294+00:00	Debian Importer	Fixing	VCID-bpme-zq57-4uh7	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:29:41.375823+00:00	Debian Importer	Fixing	VCID-mqnn-spsw-8fg5	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:29:41.335545+00:00	Debian Importer	Fixing	VCID-tu1q-zbk1-hbdm	https://security-tracker.debian.org/tracker/data/json	38.1.0