VulnerableCode Package Details - pkg:deb/debian/libspring-java@4.3.22-4

Search for packages

Vulnerability	Summary	Fixed by
VCID-y3uz-etva-sufh Aliases: CVE-2020-5421 GHSA-rv39-3qh7-9v7w	Improper Input Validation in Spring Framework In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.	4.3.30-1 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-y3uz-etva-sufh
Aliases:
CVE-2020-5421
GHSA-rv39-3qh7-9v7w

Improper Input Validation in Spring Framework In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.

4.3.30-1
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-4sj2-j914-9yfb	Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.	CVE-2018-1270 GHSA-p5hg-3xm3-gcjg
VCID-bpme-zq57-4uh7	Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack.	CVE-2018-1257 GHSA-rcpf-vj53-7h2m
VCID-mqnn-spsw-8fg5	Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests.	CVE-2018-11040 GHSA-f26x-pr96-vw86
VCID-pb7f-yasx-17ag	Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.	CVE-2018-1272 GHSA-4487-x383-qpph
VCID-pht6-8af8-b3f2	Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controller returns an org.springframework.core.io.Resource. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, for a denial of service attack. This vulnerability affects applications that depend on either spring-webmvc or spring-webflux. Such applications must also have a registration for serving static resources (e.g. JS, CSS, images, and others), or have an annotated controller that returns an org.springframework.core.io.Resource. Spring Boot applications that depend on spring-boot-starter-web or spring-boot-starter-webflux are ready to serve static resources out of the box and are therefore vulnerable.	CVE-2018-15756 GHSA-ffvq-7w96-97p7
VCID-qpxj-fzta-v7bs	Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3) does not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. In this particular attack, different character encodings used in path parameters allows secured Spring MVC static resource URLs to be bypassed.	CVE-2018-1199 GHSA-v596-fwhq-8x48
VCID-tu1q-zbk1-hbdm	Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.	CVE-2018-11039 GHSA-9gcm-f4x3-8jpw

Vulnerability

Summary

Aliases

VCID-4sj2-j914-9yfb

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.

CVE-2018-1270
GHSA-p5hg-3xm3-gcjg

VCID-bpme-zq57-4uh7

Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack.

CVE-2018-1257
GHSA-rcpf-vj53-7h2m

VCID-mqnn-spsw-8fg5

Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests.

CVE-2018-11040
GHSA-f26x-pr96-vw86

VCID-pb7f-yasx-17ag

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.

CVE-2018-1272
GHSA-4487-x383-qpph

VCID-pht6-8af8-b3f2

Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controller returns an org.springframework.core.io.Resource. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, for a denial of service attack. This vulnerability affects applications that depend on either spring-webmvc or spring-webflux. Such applications must also have a registration for serving static resources (e.g. JS, CSS, images, and others), or have an annotated controller that returns an org.springframework.core.io.Resource. Spring Boot applications that depend on spring-boot-starter-web or spring-boot-starter-webflux are ready to serve static resources out of the box and are therefore vulnerable.

CVE-2018-15756
GHSA-ffvq-7w96-97p7

VCID-qpxj-fzta-v7bs

Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3) does not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. In this particular attack, different character encodings used in path parameters allows secured Spring MVC static resource URLs to be bypassed.

CVE-2018-1199
GHSA-v596-fwhq-8x48

VCID-tu1q-zbk1-hbdm

Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.

CVE-2018-11039
GHSA-9gcm-f4x3-8jpw

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-15T22:13:26.355793+00:00	Debian Oval Importer	Fixing	VCID-4sj2-j914-9yfb	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.4.0
2026-04-15T21:52:11.425925+00:00	Debian Oval Importer	Fixing	VCID-bpme-zq57-4uh7	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.4.0
2026-04-15T21:16:31.325228+00:00	Debian Oval Importer	Fixing	VCID-qpxj-fzta-v7bs	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.4.0
2026-04-15T19:10:44.285013+00:00	Debian Oval Importer	Fixing	VCID-mqnn-spsw-8fg5	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.4.0
2026-04-15T18:03:07.369453+00:00	Debian Oval Importer	Fixing	VCID-tu1q-zbk1-hbdm	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.4.0
2026-04-15T17:57:58.705142+00:00	Debian Oval Importer	Affected by	VCID-y3uz-etva-sufh	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.4.0
2026-04-15T17:20:45.162651+00:00	Debian Oval Importer	Fixing	VCID-pb7f-yasx-17ag	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.4.0
2026-04-15T16:08:35.350539+00:00	Debian Oval Importer	Fixing	VCID-pht6-8af8-b3f2	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.4.0
2026-04-11T21:51:07.519326+00:00	Debian Oval Importer	Fixing	VCID-4sj2-j914-9yfb	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.3.0
2026-04-11T21:30:40.368332+00:00	Debian Oval Importer	Fixing	VCID-bpme-zq57-4uh7	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.3.0
2026-04-11T20:56:13.829170+00:00	Debian Oval Importer	Fixing	VCID-qpxj-fzta-v7bs	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.3.0
2026-04-11T18:54:23.749512+00:00	Debian Oval Importer	Fixing	VCID-mqnn-spsw-8fg5	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.3.0
2026-04-11T17:48:50.752712+00:00	Debian Oval Importer	Fixing	VCID-tu1q-zbk1-hbdm	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.3.0
2026-04-11T17:43:50.504082+00:00	Debian Oval Importer	Affected by	VCID-y3uz-etva-sufh	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.3.0
2026-04-11T17:07:13.091814+00:00	Debian Oval Importer	Fixing	VCID-pb7f-yasx-17ag	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.3.0
2026-04-11T15:56:05.464089+00:00	Debian Oval Importer	Fixing	VCID-pht6-8af8-b3f2	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.3.0
2026-04-08T21:28:38.473655+00:00	Debian Oval Importer	Fixing	VCID-4sj2-j914-9yfb	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.1.0
2026-04-08T21:08:58.672144+00:00	Debian Oval Importer	Fixing	VCID-bpme-zq57-4uh7	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.1.0
2026-04-08T20:35:35.162947+00:00	Debian Oval Importer	Fixing	VCID-qpxj-fzta-v7bs	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.1.0
2026-04-08T18:39:05.808009+00:00	Debian Oval Importer	Fixing	VCID-mqnn-spsw-8fg5	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.1.0
2026-04-08T17:36:02.880592+00:00	Debian Oval Importer	Fixing	VCID-tu1q-zbk1-hbdm	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.1.0
2026-04-08T17:31:10.311936+00:00	Debian Oval Importer	Affected by	VCID-y3uz-etva-sufh	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.1.0
2026-04-08T16:56:24.031933+00:00	Debian Oval Importer	Fixing	VCID-pb7f-yasx-17ag	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.1.0
2026-04-08T15:49:16.647349+00:00	Debian Oval Importer	Fixing	VCID-pht6-8af8-b3f2	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.1.0