Search for packages
| purl | pkg:maven/org.springframework/spring-core@4.3.0 |
| Tags | Ghost |
| Next non-vulnerable version | 5.2.24.RELEASE |
| Latest non-vulnerable version | 6.2.11 |
| Risk | 4.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-j3wr-npbv-8qcw
Aliases: CVE-2016-9878 GHSA-2m8h-fgr8-2q9w |
An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks. |
Affected by 0 other vulnerabilities. Affected by 10 other vulnerabilities. |
|
VCID-qpxj-fzta-v7bs
Aliases: CVE-2018-1199 GHSA-v596-fwhq-8x48 |
Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3) does not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. In this particular attack, different character encodings used in path parameters allows secured Spring MVC static resource URLs to be bypassed. |
Affected by 10 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 9 other vulnerabilities. Affected by 11 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 10 other vulnerabilities. |
|
VCID-y3uz-etva-sufh
Aliases: CVE-2020-5421 GHSA-rv39-3qh7-9v7w |
Improper Input Validation in Spring Framework In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter. |
Affected by 6 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 9 other vulnerabilities. Affected by 9 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-04-02T12:37:21.560650+00:00 | GitLab Importer | Affected by | VCID-y3uz-etva-sufh | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework/spring-core/CVE-2020-5421.yml | 38.0.0 |
| 2026-04-01T15:56:58.828772+00:00 | GHSA Importer | Affected by | VCID-qpxj-fzta-v7bs | https://github.com/advisories/GHSA-v596-fwhq-8x48 | 38.0.0 |
| 2026-04-01T12:47:58.895511+00:00 | GitLab Importer | Affected by | VCID-j3wr-npbv-8qcw | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework/spring-core/CVE-2016-9878.yml | 38.0.0 |
| 2026-04-01T12:47:37.485331+00:00 | GitLab Importer | Affected by | VCID-qpxj-fzta-v7bs | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework/spring-core/CVE-2018-1199.yml | 38.0.0 |