Search for packages
| purl | pkg:maven/org.springframework/spring-core@3.0.0 |
| Tags | Ghost |
| Next non-vulnerable version | 5.2.24.RELEASE |
| Latest non-vulnerable version | 6.2.11 |
| Risk | 4.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-53gt-nbgk-hyc2
Aliases: CVE-2014-3578 GHSA-rhcg-rwhx-qj3j |
Directory traversal vulnerability in Pivotal Spring Framework 3.x before 3.2.9 and 4.0 before 4.0.5 allows remote attackers to read arbitrary files via a crafted URL. |
Affected by 0 other vulnerabilities. Affected by 12 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 11 other vulnerabilities. |
|
VCID-h4ys-unzb-cbhn
Aliases: CVE-2011-2730 GHSA-wv88-pf73-x22p |
VMware SpringSource Spring Framework before 2.5.6.SEC03, 2.5.7.SR023, and 3.x before 3.0.6, when a container supports Expression Language (EL), evaluates EL expressions in tags twice, which allows remote attackers to obtain sensitive information via a (1) name attribute in a (a) spring:hasBindErrors tag; (2) path attribute in a (b) spring:bind or (c) spring:nestedpath tag; (3) arguments, (4) code, (5) text, (6) var, (7) scope, or (8) message attribute in a (d) spring:message or (e) spring:theme tag; or (9) var, (10) scope, or (11) value attribute in a (f) spring:transform tag, aka "Expression Language Injection." |
Affected by 0 other vulnerabilities. Affected by 13 other vulnerabilities. |
|
VCID-sy5j-6rkg-n3b7
Aliases: CVE-2011-2894 GHSA-f866-m9mv-2xr3 |
Deserialization of Untrusted Data Spring Framework 3.0.0 through 3.0.5, Spring Security 3.0.0 through 3.0.5 and 2.0.0 through 2.0.6, and possibly other versions deserialize objects from untrusted sources, which allows remote attackers to bypass intended security restrictions and execute untrusted code by (1) serializing a java.lang.Proxy instance and using InvocationHandler, or (2) accessing internal AOP interfaces, as demonstrated using deserialization of a DefaultListableBeanFactory instance to execute arbitrary commands via the java.lang.Runtime class. |
Affected by 0 other vulnerabilities. Affected by 13 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-04-04T14:31:17.994692+00:00 | GHSA Importer | Affected by | VCID-h4ys-unzb-cbhn | https://github.com/advisories/GHSA-wv88-pf73-x22p | 38.1.0 |
| 2026-04-04T14:30:48.944690+00:00 | GHSA Importer | Affected by | VCID-sy5j-6rkg-n3b7 | https://github.com/advisories/GHSA-f866-m9mv-2xr3 | 38.1.0 |
| 2026-04-04T14:30:09.081064+00:00 | GHSA Importer | Affected by | VCID-53gt-nbgk-hyc2 | https://github.com/advisories/GHSA-rhcg-rwhx-qj3j | 38.1.0 |
| 2026-04-01T12:50:35.302437+00:00 | GitLab Importer | Affected by | VCID-53gt-nbgk-hyc2 | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework/spring-core/CVE-2014-3578.yml | 38.0.0 |
| 2026-04-01T12:50:29.691835+00:00 | GitLab Importer | Affected by | VCID-sy5j-6rkg-n3b7 | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework/spring-core/CVE-2011-2894.yml | 38.0.0 |