Search for packages
| purl | pkg:maven/org.springframework.boot/spring-boot@1.5.9.RELEASE |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-dsz6-w5ak-xqee
Aliases: CVE-2025-22235 GHSA-rc42-6c7j-7h5r |
Spring Boot EndpointRequest.to() creates wrong matcher if actuator endpoint is not exposed EndpointRequest.to() creates a matcher for null/** if the actuator endpoint, for which the EndpointRequest has been created, is disabled or not exposed. Your application may be affected by this if all the following conditions are met: * You use Spring Security * EndpointRequest.to() has been used in a Spring Security chain configuration * The endpoint which EndpointRequest references is disabled or not exposed via web * Your application handles requests to /null and this path needs protection You are not affected if any of the following is true: * You don't use Spring Security * You don't use EndpointRequest.to() * The endpoint which EndpointRequest.to() refers to is enabled and is exposed * Your application does not handle requests to /null or this path does not need protection |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-g7xv-ej5p-skgv
Aliases: CVE-2023-34055 GHSA-jjfh-589g-3hjx |
Spring Boot Actuator denial of service vulnerability In Spring Boot versions 2.7.0 - 2.7.17, 3.0.0-3.0.12 and 3.1.0-3.1.5, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. Specifically, an application is vulnerable when all of the following are true: * the application uses Spring MVC or Spring WebFlux * `org.springframework.boot:spring-boot-actuator` is on the classpath |
Affected by 2 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 1 other vulnerability. |
|
VCID-nt71-r2ww-7yen
Aliases: CVE-2026-40973 GHSA-wwpq-f5c3-7hvx |
Spring Boot: Spring Boot: Arbitrary Code Execution and Session Hijacking via predictable temporary directory |
Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-vj5v-h525-5bdd
Aliases: CVE-2022-27772 GHSA-cm59-pr5q-cw85 |
Exposure of Resource to Wrong Sphere spring-boot versions prior to version v2.2.11.RELEASE was vulnerable to temporary directory hijacking. This vulnerability impacted the `org.springframework.boot.web.server.AbstractConfigurableWebServerFactory.createTempDir` method. NOTE: This vulnerability only affects products and/or versions that are no longer supported by the maintainer. |
Affected by 3 other vulnerabilities. |
|
VCID-wq91-uxkz-dkf7
Aliases: CVE-2018-1196 GHSA-xx65-cc7g-9pfp |
Symlink privilege escalation attack via Spring Boot launch script Spring Boot supports an embedded launch script that can be used to easily run the application as a systemd or init.d linux service. The script included with Spring Boot is susceptible to a symlink attack which allows the `run_user` to overwrite and take ownership of any file on the same system. In order to instigate the attack, the application must be installed as a service and the `run_user` requires shell access to the server. |
Affected by 0 other vulnerabilities. Affected by 4 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-kzsg-qwvd-2ffh | RCE in PATCH requests Malicious PATCH requests submitted to servers using Spring Data REST backed HTTP resources can use specially crafted JSON data to run arbitrary Java code. |
CVE-2017-8046
GHSA-9qf9-28h9-hqcj |