VulnerableCode Package Details - pkg:maven/org.springframework/spring-core@4.3.15.RELEASE

Search for packages

Vulnerability	Summary	Fixed by
VCID-72ga-q9u7-sfav Aliases: CVE-2018-1275 GHSA-3rmv-2pg5-xvqj	Improperly Implemented Security Check for Standard Spring Framework allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.	4.3.16 Affected by 0 other vulnerabilities. 4.3.16.RELEASE Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 5.0.5 Affected by 0 other vulnerabilities. 5.0.5.RELEASE Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-fra1-reqm-kfdb Aliases: CVE-2020-5421 GHSA-rv39-3qh7-9v7w	Remote file disclosure In Spring Framework the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.	4.3.28.RELEASE Affected by 0 other vulnerabilities. 4.3.29.RELEASE Affected by 0 other vulnerabilities. 5.0.18.RELEASE Affected by 0 other vulnerabilities. 5.0.19.RELEASE Affected by 0 other vulnerabilities. 5.1.17.RELEASE Affected by 0 other vulnerabilities. 5.1.18.RELEASE Affected by 0 other vulnerabilities. 5.2.8.RELEASE Affected by 0 other vulnerabilities. 5.2.9.RELEASE Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-72ga-q9u7-sfav
Aliases:
CVE-2018-1275
GHSA-3rmv-2pg5-xvqj

Improperly Implemented Security Check for Standard Spring Framework allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.

4.3.16
Affected by 0 other vulnerabilities.

4.3.16.RELEASE
Affected by 1 other vulnerability.

5.0.5
Affected by 0 other vulnerabilities.

5.0.5.RELEASE
Affected by 3 other vulnerabilities.

VCID-fra1-reqm-kfdb
Aliases:
CVE-2020-5421
GHSA-rv39-3qh7-9v7w

Remote file disclosure In Spring Framework the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.

4.3.28.RELEASE
Affected by 0 other vulnerabilities.

4.3.29.RELEASE
Affected by 0 other vulnerabilities.

5.0.18.RELEASE
Affected by 0 other vulnerabilities.

5.0.19.RELEASE
Affected by 0 other vulnerabilities.

5.1.17.RELEASE
Affected by 0 other vulnerabilities.

5.1.18.RELEASE
Affected by 0 other vulnerabilities.

5.2.8.RELEASE
Affected by 0 other vulnerabilities.

5.2.9.RELEASE
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-2327-21sr-mfgx	Improper Privilege Management When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.	CVE-2018-1272 GHSA-4487-x383-qpph

Vulnerability

Summary

Aliases

VCID-2327-21sr-mfgx

Improper Privilege Management When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.

CVE-2018-1272
GHSA-4487-x383-qpph

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-04T20:39:06.659516+00:00	GitLab Importer	Affected by	VCID-fra1-reqm-kfdb	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework/spring-core/CVE-2020-5421.yml	38.6.0
2026-06-04T20:16:04.072266+00:00	GitLab Importer	Affected by	VCID-72ga-q9u7-sfav	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework/spring-core/CVE-2018-1275.yml	38.6.0
2026-06-04T20:16:00.061772+00:00	GitLab Importer	Fixing	VCID-2327-21sr-mfgx	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework/spring-core/CVE-2018-1272.yml	38.6.0