Search for packages
| purl | pkg:maven/org.springframework.boot/spring-boot@1.5.7.RELEASE |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-6sye-grs9-dqfh
Aliases: CVE-2022-27772 GHSA-cm59-pr5q-cw85 |
Exposure of Resource to Wrong Sphere spring-boot versions prior to version v2.2.11.RELEASE was vulnerable to temporary directory hijacking. This vulnerability impacted the `org.springframework.boot.web.server.AbstractConfigurableWebServerFactory.createTempDir` method. NOTE: This vulnerability only affects products and/or versions that are no longer supported by the maintainer. |
Affected by 2 other vulnerabilities. |
|
VCID-g7ce-fs6u-abdp
Aliases: CVE-2017-8046 GHSA-9qf9-28h9-hqcj |
Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay SR1) and Spring Boot versions prior to 1.5.9, 2.0 M6 can use specially crafted JSON data to run arbitrary Java code. |
Affected by 4 other vulnerabilities. |
|
VCID-hek3-n96t-bydw
Aliases: CVE-2018-1196 GHSA-xx65-cc7g-9pfp |
Symlink privilege escalation attack via Spring Boot launch script Spring Boot supports an embedded launch script that can be used to easily run the application as a systemd or init.d linux service. The script included with Spring Boot is susceptible to a symlink attack which allows the `run_user` to overwrite and take ownership of any file on the same system. In order to instigate the attack, the application must be installed as a service and the `run_user` requires shell access to the server. |
Affected by 0 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-k3fg-3bs3-87b9
Aliases: CVE-2025-22235 GHSA-rc42-6c7j-7h5r |
Spring Boot EndpointRequest.to() creates wrong matcher if actuator endpoint is not exposed EndpointRequest.to() creates a matcher for null/** if the actuator endpoint, for which the EndpointRequest has been created, is disabled or not exposed. Your application may be affected by this if all the following conditions are met: * You use Spring Security * EndpointRequest.to() has been used in a Spring Security chain configuration * The endpoint which EndpointRequest references is disabled or not exposed via web * Your application handles requests to /null and this path needs protection You are not affected if any of the following is true: * You don't use Spring Security * You don't use EndpointRequest.to() * The endpoint which EndpointRequest.to() refers to is enabled and is exposed * Your application does not handle requests to /null or this path does not need protection |
Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-kwk7-s11d-4ygy
Aliases: CVE-2023-34055 GHSA-jjfh-589g-3hjx |
Spring Boot Actuator denial of service vulnerability In Spring Boot versions 2.7.0 - 2.7.17, 3.0.0-3.0.12 and 3.1.0-3.1.5, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. Specifically, an application is vulnerable when all of the following are true: * the application uses Spring MVC or Spring WebFlux * `org.springframework.boot:spring-boot-actuator` is on the classpath |
Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. Affected by 1 other vulnerability. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||