Search for packages
| purl | pkg:deb/debian/libspring-java@4.3.30-4?distro=trixie |
| Vulnerability | Summary | Fixed by |
|---|---|---|
| This package is not known to be affected by vulnerabilities. | ||
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-2327-21sr-mfgx | Improper Privilege Management When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles. |
CVE-2018-1272
GHSA-4487-x383-qpph |
| VCID-2ke4-ywbk-2qha | Improper Input Validation Under some situations, the Spring Framework is vulnerable to a Reflected File Download (RFD) attack. The attack involves a malicious user crafting a URL with a batch script extension that results in the response being downloaded rather than rendered and also includes some input reflected in the response. |
CVE-2015-5211
GHSA-pgf9-h69p-pcgf |
| VCID-33up-jmsk-qffx | spring-webflux: Spring MVC and Spring WebFlux: Denial of Service via slow static resource resolution on Windows |
CVE-2026-22745
GHSA-6p4f-wcwh-5vvm |
| VCID-3jwd-72ab-ayf3 | Spring Framework vulnerable to denial of service In Spring Framework versions 6.0.0 - 6.0.13, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. Specifically, an application is vulnerable when all of the following are true: * the application uses Spring MVC or Spring WebFlux * io.micrometer:micrometer-core is on the classpath * an ObservationRegistry is configured in the application to record observations Typically, Spring Boot applications need the org.springframework.boot:spring-boot-actuator dependency to meet all conditions. |
CVE-2023-34053
GHSA-v94h-hvhg-mf9h |
| VCID-46dm-5t83-tyh6 | Spring Security / MVC Path Matching Inconsistency This package rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring Framework provides richer features with regards to pattern matching as well as by the fact that pattern matching in each Spring Security and the Spring Framework can easily be customized creating additional differences. |
CVE-2016-5007
GHSA-8crv-49fr-2h6j |
| VCID-4ut8-z444-puhf | Cross-site scripting flaw Cross-site scripting (XSS) vulnerability in `web/servlet/tags/form/FormTag.java` in Spring MVC in this package allows remote attackers to inject arbitrary web script or HTML via the requested URI in a default action. |
CVE-2014-1904
GHSA-ff7p-jqjm-v66h |
| VCID-5xyh-x7zt-aycz | Improper Restriction of XML External Entity Reference The Spring OXM wrapper when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue. |
CVE-2013-4152
GHSA-rp4p-g69r-438x |
| VCID-6pkk-3mj7-jyag | Cross-Site Request Forgery (CSRF) Spring Framework is vulnerable to CSRF attacks through CORS preflight requests that target Spring MVC (spring-webmvc module) or Spring WebFlux (spring-webflux module) endpoints. |
CVE-2020-5397
GHSA-7pm4-g2qj-j85x |
| VCID-72ga-q9u7-sfav | Improperly Implemented Security Check for Standard Spring Framework allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack. |
CVE-2018-1275
GHSA-3rmv-2pg5-xvqj |
| VCID-7zcx-qpsn-zuem | XML External Entity (XXE) injection The `SourceHttpMessageConverter` in this package does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML. |
CVE-2013-6429
GHSA-g6hf-f9cq-q7w7 |
| VCID-a796-tmtn-6bac | Information disclosure via SSRF This package did not disable by default the resolution of URI references in a DTD declaration. This enabled an XXE attack. |
CVE-2014-0225
GHSA-f93f-g33r-8pcp |
| VCID-d66x-bm58-pfgt | Improper Privilege Management Spring Framework WebFlux applications are vulnerable to a privilege escalation. By (re)creating the temporary storage directory, a locally authenticated malicious user can read or modify files that have been uploaded to the WebFlux application, or overwrite arbitrary files with multipart request data. |
CVE-2021-22118
GHSA-gfwj-fwqj-fp3v |
| VCID-dakn-kfyh-syab | Uncontrolled Resource Consumption Spring Framework provides support for range requests when serving static resources through the `ResourceHttpRequestHandler`. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, for a denial of service attack. |
CVE-2018-15756
GHSA-ffvq-7w96-97p7 |
| VCID-envb-buqd-r3dt | Path Traversal Spring Framework allows applications to configure Spring MVC to serve static resources (e.g., CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the `ServletContext`), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack. |
CVE-2018-1271
GHSA-g8hw-794c-4j9g |
| VCID-esxu-3a7m-q7a7 | False positive This advisory has been marked as a False Positive and has been removed. |
CVE-2018-11039
GHSA-9gcm-f4x3-8jpw |
| VCID-fbxq-3v82-yket | Improper Input Validation Spring Framework allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack. |
CVE-2018-1257
GHSA-rcpf-vj53-7h2m |
| VCID-fra1-reqm-kfdb | Remote file disclosure In Spring Framework the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter. |
CVE-2020-5421
GHSA-rv39-3qh7-9v7w |
| VCID-gwpy-9eej-kbgd | XML External Entity (XXE) injection This package does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152. NOTE: this issue was SPLIT from CVE-2013-4152 due to different affected versions. |
CVE-2013-7315
GHSA-vp63-rrcm-9mph |
| VCID-h197-qg16-4ug5 | Improper Authentication The `ActiveDirectoryLdapAuthenticator` does not check the password length. If the directory allows anonymous binds then it may incorrectly authenticate a user who supplies an empty password. |
CVE-2014-0097
GHSA-gv9v-c375-hvmg |
| VCID-h4kj-zdr8-wbdr | Improper Input Validation Spring Security does not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for `getPathInfo()` and some do not. Spring Security uses the value returned by `getPathInfo()` as part of the process of mapping requests to security constraints. In this particular attack, different character encodings used in path parameters allows secured Spring MVC static resource URLs to be bypassed. |
CVE-2018-1199
GHSA-v596-fwhq-8x48 |
| VCID-haqr-jpvm-eqck | Improper Control of Generation of Code ('Code Injection') Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack. |
CVE-2018-1270
GHSA-p5hg-3xm3-gcjg |
| VCID-hb8j-4quw-fyhy | XML External Entities This package does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429. |
CVE-2014-0054
GHSA-8cmm-qj8g-fcp6 |
| VCID-jeeg-btw1-5yaq | Spring Framework vulnerable to a reflected file download (RFD) In Spring Framework, versions 6.0.x as of 6.0.5, versions 6.1.x and 6.2.x, an application is vulnerable to a reflected file download (RFD) attack when it sets a “Content-Disposition” header with a non-ASCII charset, where the filename attribute is derived from user-supplied input. Specifically, an application is vulnerable when all the following are true: - The header is prepared with `org.springframework.http.ContentDisposition`. - The filename is set via `ContentDisposition.Builder#filename(String, Charset)`. - The value for the filename is derived from user-supplied input. - The application does not sanitize the user-supplied input. - The downloaded content of the response is injected with malicious commands by the attacker (see RFD paper reference for details). An application is not vulnerable if any of the following is true: - The application does not set a “Content-Disposition” response header. - The header is not prepared with `org.springframework.http.ContentDisposition`. - The filename is set via one of: - `ContentDisposition.Builder#filename(String)`, or - `ContentDisposition.Builder#filename(String, ASCII)` - The filename is not derived from user-supplied input. - The filename is derived from user-supplied input but sanitized by the application. - The attacker cannot inject malicious content in the downloaded content of the response. |
CVE-2025-41234
GHSA-6r3c-xf4w-jxjm |
| VCID-kcma-n11h-q7ft | Deserialization of Untrusted Data Pivotal Spring Framework suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. |
CVE-2016-1000027
GHSA-4wrc-f8pq-fpqp |
| VCID-kvhz-7nfu-2kdx | Directory traversal flaw Directory traversal vulnerability in this package allows remote attackers to read arbitrary files via a crafted URL. |
CVE-2014-3578
GHSA-rhcg-rwhx-qj3j |
| VCID-m6g1-a6e3-bqbj | Inclusion of Functionality from Untrusted Control Sphere Spring Framework allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through `AbstractJsonpResponseBodyAdvice` for REST controllers and `MappingJackson2JsonView` for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when `MappingJackson2JsonView` is configured in an application, JSONP support is automatically ready to use through the `jsonp` and `callback` JSONP parameters, enabling cross-domain requests. |
CVE-2018-11040
GHSA-f26x-pr96-vw86 |
| VCID-ncq1-u2qu-77ec | DoS Attack with XML Input This package do not properly process inline DTD declarations when DTD is not entirely disabled, which allows remote attackers to cause a denial of service (memory consumption and out-of-memory errors) via a crafted XML file. |
CVE-2015-3192
GHSA-6v7w-535j-rq5m |
| VCID-qa68-buyg-2bgq | Spring Framework server Web DoS Vulnerability In Spring Framework versions 6.0.15 and 6.1.2, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. Specifically, an application is vulnerable when all of the following are true: * the application uses Spring MVC * Spring Security 6.1.6+ or 6.2.1+ is on the classpath Typically, Spring Boot applications need the org.springframework.boot:spring-boot-starter-web and org.springframework.boot:spring-boot-starter-security dependencies to meet all conditions. |
CVE-2024-22233
GHSA-r4q3-7g4q-x89m |
| VCID-tj95-xfgu-pya7 | Directory traversal flaw Directory traversal vulnerability in this package allows remote attackers to read arbitrary files via unspecified vectors, related to static resource handling. |
CVE-2014-3625
GHSA-hhm4-hwq6-3c6w |
| VCID-tsjn-scdc-fqh3 | Download of Code Without Integrity Check In Spring Framework, an application is vulnerable to a reflected file download (RFD) attack when it sets a `Content-Disposition` header in the response where the filename attribute is derived from user supplied input. |
CVE-2020-5398
GHSA-8wx2-9q48-vm9r |
| VCID-txyw-49ms-n3f4 | Insufficiently random session id in Java SockJS client The Java SockJS client in this package generates predictable session ids, which allows remote attackers to send messages to other sessions via unspecified vectors. |
CVE-2015-0201
GHSA-45vg-2v73-vm62 |
| VCID-vgyx-gshk-tbcx | Path Traversal Paths provided to the `ResourceServlet` were not properly sanitized and as a result exposed to directory traversal attacks. |
CVE-2016-9878
GHSA-2m8h-fgr8-2q9w |
| VCID-vw31-4w5h-rucb | Improper Neutralization of Input During Web Page Generation in Spring Framework The JavaScriptUtils.javaScriptEscape method in web/util/JavaScriptUtils.java in Spring MVC in Spring Framework before 3.2.2 does not properly escape certain characters, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a (1) line separator or (2) paragraph separator Unicode character or (3) left or (4) right angle bracket. |
CVE-2013-6430
GHSA-xjrf-8x4f-43h4 |