VulnerableCode Package Details - pkg:maven/org.springframework/spring-core@3.0.2.RELEASE

Vulnerabilities affecting this package (8)

Vulnerability	Summary	Fixed by
VCID-2327-21sr-mfgx Aliases: CVE-2018-1272 GHSA-4487-x383-qpph	Improper Privilege Management When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.	4.3.15 Affected by 0 other vulnerabilities. 4.3.15.RELEASE Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 5.0.5 Affected by 0 other vulnerabilities. 5.0.5.RELEASE Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-46dm-5t83-tyh6 Aliases: CVE-2016-5007 GHSA-8crv-49fr-2h6j	Spring Security / MVC Path Matching Inconsistency This package rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring Framework provides richer features with regards to pattern matching as well as by the fact that pattern matching in each Spring Security and the Spring Framework can easily be customized creating additional differences.	4.3.1 Affected by 0 other vulnerabilities. 4.3.1.RELEASE Affected by 5 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-72ga-q9u7-sfav Aliases: CVE-2018-1275 GHSA-3rmv-2pg5-xvqj	Improperly Implemented Security Check for Standard Spring Framework allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.	4.3.16 Affected by 0 other vulnerabilities. 4.3.16.RELEASE Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 5.0.5 Affected by 0 other vulnerabilities. 5.0.5.RELEASE Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-fra1-reqm-kfdb Aliases: CVE-2020-5421 GHSA-rv39-3qh7-9v7w	Remote file disclosure In Spring Framework the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.	4.2.9.RELEASE Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 4.3.28.RELEASE Affected by 0 other vulnerabilities. 4.3.29.RELEASE Affected by 0 other vulnerabilities. 5.0.18.RELEASE Affected by 0 other vulnerabilities. 5.0.19.RELEASE Affected by 0 other vulnerabilities. 5.1.17.RELEASE Affected by 0 other vulnerabilities. 5.1.18.RELEASE Affected by 0 other vulnerabilities. 5.2.8.RELEASE Affected by 0 other vulnerabilities. 5.2.9.RELEASE Affected by 0 other vulnerabilities.
VCID-hcrz-cwpf-37db Aliases: CVE-2011-2730 GHSA-wv88-pf73-x22p	EL expressions double evaluation When a container supports Expression Language (EL), this package evaluates EL expressions in tags twice, which allows remote attackers to obtain sensitive information via a name attribute in a `spring:hasBindErrors` tag; path attribute in a `spring:bind` or `spring:nestedpath` tag; `arguments`, `code`, `text`, `var`, `scope`, or `message` attribute in a `spring:message` or `spring:theme` tag; or `var`, `scope`, or `value` attribute in a `spring:transform` tag, aka Expression Language Injection.	3.0.6 Affected by 0 other vulnerabilities. 3.0.6.RELEASE Affected by 6 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-ncq1-u2qu-77ec Aliases: CVE-2015-3192 GHSA-6v7w-535j-rq5m	DoS Attack with XML Input This package do not properly process inline DTD declarations when DTD is not entirely disabled, which allows remote attackers to cause a denial of service (memory consumption and out-of-memory errors) via a crafted XML file.	3.2.14 Affected by 0 other vulnerabilities. 3.2.14.RELEASE Affected by 5 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 4.1.7 Affected by 0 other vulnerabilities. 4.1.7.RELEASE Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-p6yn-xbh2-3fhk Aliases: CVE-2010-1622 GHSA-vpr3-f594-mg5g	Remote classloader modification This package allows remote attackers to execute arbitrary code via an HTTP request containing `class.classLoader.URLs[0]=jar:` followed by a URL of a crafted `.jar` file.	3.0.3.RELEASE Affected by 7 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-vgyx-gshk-tbcx Aliases: CVE-2016-9878 GHSA-2m8h-fgr8-2q9w	Path Traversal Paths provided to the `ResourceServlet` were not properly sanitized and as a result exposed to directory traversal attacks.	3.2.18 Affected by 0 other vulnerabilities. 3.2.18.RELEASE Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 4.2.9 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 4.2.9.RELEASE Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 4.3.5 Affected by 0 other vulnerabilities. 4.3.5.RELEASE Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Next non-vulnerable version	3.0.6
Latest non-vulnerable version	6.2.11
Risk	4.0

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-04T20:39:06.335833+00:00	GitLab Importer	Affected by	VCID-fra1-reqm-kfdb	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework/spring-core/CVE-2020-5421.yml	38.6.0
2026-06-04T20:16:13.353106+00:00	GitLab Importer	Affected by	VCID-ncq1-u2qu-77ec	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework/spring-core/CVE-2015-3192.yml	38.6.0
2026-06-04T20:16:03.736545+00:00	GitLab Importer	Affected by	VCID-72ga-q9u7-sfav	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework/spring-core/CVE-2018-1275.yml	38.6.0
2026-06-04T20:15:59.768668+00:00	GitLab Importer	Affected by	VCID-2327-21sr-mfgx	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework/spring-core/CVE-2018-1272.yml	38.6.0
2026-06-04T20:14:56.342363+00:00	GitLab Importer	Affected by	VCID-vgyx-gshk-tbcx	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework/spring-core/CVE-2016-9878.yml	38.6.0
2026-06-04T20:08:06.321951+00:00	GitLab Importer	Affected by	VCID-46dm-5t83-tyh6	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework/spring-core/CVE-2016-5007.yml	38.6.0
2026-06-04T20:03:24.821040+00:00	GitLab Importer	Affected by	VCID-hcrz-cwpf-37db	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework/spring-core/CVE-2011-2730.yml	38.6.0
2026-06-04T18:23:34.562617+00:00	GHSA Importer	Affected by	VCID-46dm-5t83-tyh6	https://github.com/advisories/GHSA-8crv-49fr-2h6j	38.6.0
2026-06-02T04:36:03.544937+00:00	GitLab Importer	Affected by	VCID-p6yn-xbh2-3fhk	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework/spring-core/CVE-2010-1622.yml	38.6.0