VulnerableCode Package Details - pkg:maven/org.springframework/spring-core@3.0-alpha0

Search for packages

Vulnerability	Summary	Fixed by
VCID-hcrz-cwpf-37db Aliases: CVE-2011-2730	EL expressions double evaluation When a container supports Expression Language (EL), this package evaluates EL expressions in tags twice, which allows remote attackers to obtain sensitive information via a name attribute in a `spring:hasBindErrors` tag; path attribute in a `spring:bind` or `spring:nestedpath` tag; `arguments`, `code`, `text`, `var`, `scope`, or `message` attribute in a `spring:message` or `spring:theme` tag; or `var`, `scope`, or `value` attribute in a `spring:transform` tag, aka Expression Language Injection.	3.0.6.RELEASE Affected by 0 other vulnerabilities.
VCID-nsks-myf2-fugq Aliases: CVE-2009-1190	Regular expression denial of service (ReDOS) Algorithmic complexity vulnerability in this package allows remote attackers to cause a denial of service (CPU consumption) via serializable data with a long regex string containing multiple optional groups, a related issue to CVE-2004-2540.	3.0.1.RELEASE Affected by 0 other vulnerabilities.
VCID-p6yn-xbh2-3fhk Aliases: CVE-2010-1622 GHSA-vpr3-f594-mg5g	Remote classloader modification This package allows remote attackers to execute arbitrary code via an HTTP request containing `class.classLoader.URLs[0]=jar:` followed by a URL of a crafted `.jar` file.	3.0.3.RELEASE Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-hcrz-cwpf-37db
Aliases:
CVE-2011-2730

EL expressions double evaluation When a container supports Expression Language (EL), this package evaluates EL expressions in tags twice, which allows remote attackers to obtain sensitive information via a name attribute in a `spring:hasBindErrors` tag; path attribute in a `spring:bind` or `spring:nestedpath` tag; `arguments`, `code`, `text`, `var`, `scope`, or `message` attribute in a `spring:message` or `spring:theme` tag; or `var`, `scope`, or `value` attribute in a `spring:transform` tag, aka Expression Language Injection.

3.0.6.RELEASE
Affected by 0 other vulnerabilities.

VCID-nsks-myf2-fugq
Aliases:
CVE-2009-1190

Regular expression denial of service (ReDOS) Algorithmic complexity vulnerability in this package allows remote attackers to cause a denial of service (CPU consumption) via serializable data with a long regex string containing multiple optional groups, a related issue to CVE-2004-2540.

3.0.1.RELEASE
Affected by 0 other vulnerabilities.

VCID-p6yn-xbh2-3fhk
Aliases:
CVE-2010-1622
GHSA-vpr3-f594-mg5g

Remote classloader modification This package allows remote attackers to execute arbitrary code via an HTTP request containing `class.classLoader.URLs[0]=jar:` followed by a URL of a crafted `.jar` file.

3.0.3.RELEASE
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-02T04:36:06.594726+00:00	GitLab Importer	Affected by	VCID-hcrz-cwpf-37db	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework/spring-core/CVE-2011-2730.yml	38.6.0
2026-06-02T04:36:03.540420+00:00	GitLab Importer	Affected by	VCID-p6yn-xbh2-3fhk	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework/spring-core/CVE-2010-1622.yml	38.6.0
2026-06-02T04:36:03.111321+00:00	GitLab Importer	Affected by	VCID-nsks-myf2-fugq	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework/spring-core/CVE-2009-1190.yml	38.6.0