Search for packages
| purl | pkg:maven/org.springframework/spring-core@4.2.0 |
| Tags | Ghost |
| Next non-vulnerable version | 5.2.24.RELEASE |
| Latest non-vulnerable version | 6.2.11 |
| Risk | 4.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-ec6g-dnjb-vycb
Aliases: CVE-2015-5211 GHSA-pgf9-h69p-pcgf |
Under some situations, the Spring Framework 4.2.0 to 4.2.1, 4.0.0 to 4.1.7, 3.2.0 to 3.2.14 and older unsupported versions is vulnerable to a Reflected File Download (RFD) attack. The attack involves a malicious user crafting a URL with a batch script extension that results in the response being downloaded rather than rendered and also includes some input reflected in the response. |
Affected by 0 other vulnerabilities. |
|
VCID-f3g5-hamr-6yar
Aliases: CVE-2019-3795 GHSA-v2r2-7qm7-jj6v |
Insufficient Entropy in PRNG Spring Security contain an insecure randomness vulnerability when using `SecureRandomFactoryBean#setSeed` to configure a `SecureRandom` instance. In order to be impacted, an honest application must provide a seed and make the resulting random material available to an attacker for inspection. |
Affected by 13 other vulnerabilities. Affected by 7 other vulnerabilities. Affected by 7 other vulnerabilities. Affected by 7 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-j3wr-npbv-8qcw
Aliases: CVE-2016-9878 GHSA-2m8h-fgr8-2q9w |
An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks. |
Affected by 1 other vulnerability. Affected by 11 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 10 other vulnerabilities. |
|
VCID-pz7c-p4ze-kfhc
Aliases: CVE-2019-11272 GHSA-v33x-prhc-gph5 |
PlaintextPasswordEncoder authenticates encoded passwords that are null Spring Security supports plain text passwords using `PlaintextPasswordEncoder`. a malicious user (or attacker) can authenticate using a password of `null`. |
Affected by 13 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-04-02T12:39:10.104772+00:00 | GitLab Importer | Affected by | VCID-pz7c-p4ze-kfhc | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework/spring-core/CVE-2019-11272.yml | 38.0.0 |
| 2026-04-01T15:56:59.532741+00:00 | GHSA Importer | Affected by | VCID-ec6g-dnjb-vycb | https://github.com/advisories/GHSA-pgf9-h69p-pcgf | 38.0.0 |
| 2026-04-01T12:48:23.877545+00:00 | GitLab Importer | Affected by | VCID-f3g5-hamr-6yar | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework/spring-core/CVE-2019-3795.yml | 38.0.0 |
| 2026-04-01T12:47:58.893183+00:00 | GitLab Importer | Affected by | VCID-j3wr-npbv-8qcw | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework/spring-core/CVE-2016-9878.yml | 38.0.0 |