Search for packages
| purl | pkg:maven/org.springframework/spring-core@4.3.20.RELEASE |
| Next non-vulnerable version | 5.2.24.RELEASE |
| Latest non-vulnerable version | 6.2.11 |
| Risk | 10.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-6ysx-5wcw-f7b5
Aliases: CVE-2023-20863 GHSA-wxqc-pxw9-g2p8 |
Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') In spring framework versions prior to 5.2.24 release+,5.3.27+ and 6.0.8+, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition. |
Affected by 0 other vulnerabilities. Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-c74k-e1me-pfb2
Aliases: CVE-2022-22968 GHSA-g5mm-vmx4-3rg7 |
Improper Handling of Case Sensitivity In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path. |
Affected by 0 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 5 other vulnerabilities. |
|
VCID-cyjt-4vjn-mbc7
Aliases: CVE-2022-22965 GHSA-36p3-wjmg-h94x GMS-2022-558 GMS-2022-559 GMS-2022-560 GMS-2022-561 |
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in org.springframework.boot:spring-boot-starter-webflux. |
Affected by 0 other vulnerabilities. Affected by 5 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-k17s-ttg2-ubgj
Aliases: CVE-2022-22971 GHSA-rqph-vqwm-22vc |
Allocation of Resources Without Limits or Throttling In spring framework versions prior to 5.3.20+, 5.2.22+ and old unsupported versions, application with a STOMP over WebSocket endpoint is vulnerable to a denial of service attack by an authenticated user. |
Affected by 2 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-w6br-v2gm-j7gr
Aliases: CVE-2022-22970 GHSA-hh26-6xwr-ggv7 |
Allocation of Resources Without Limits or Throttling In spring framework versions prior to 5.3.20+, 5.2.22+ and old unsupported versions, applications that handle file uploads is vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object. |
Affected by 2 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-y3uz-etva-sufh
Aliases: CVE-2020-5421 GHSA-rv39-3qh7-9v7w |
Improper Input Validation in Spring Framework In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter. |
Affected by 6 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 9 other vulnerabilities. Affected by 9 other vulnerabilities. |
|
VCID-z3th-j593-m7bg
Aliases: CVE-2023-20861 GHSA-564r-hj7v-mcr5 |
Spring Framework vulnerable to denial of service via specially crafted SpEL expression In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition. |
Affected by 1 other vulnerability. Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-pht6-8af8-b3f2 | Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controller returns an org.springframework.core.io.Resource. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, for a denial of service attack. This vulnerability affects applications that depend on either spring-webmvc or spring-webflux. Such applications must also have a registration for serving static resources (e.g. JS, CSS, images, and others), or have an annotated controller that returns an org.springframework.core.io.Resource. Spring Boot applications that depend on spring-boot-starter-web or spring-boot-starter-webflux are ready to serve static resources out of the box and are therefore vulnerable. |
CVE-2018-15756
GHSA-ffvq-7w96-97p7 |