VulnerableCode Package Details - pkg:maven/org.springframework/spring-core@5.0.5.RELEASE

Search for packages

Vulnerability	Summary	Fixed by
VCID-3p1k-4ges-1fev Aliases: CVE-2019-3795 GHSA-v2r2-7qm7-jj6v	Insufficient Entropy in PRNG Spring Security contain an insecure randomness vulnerability when using `SecureRandomFactoryBean#setSeed` to configure a `SecureRandom` instance. In order to be impacted, an honest application must provide a seed and make the resulting random material available to an attacker for inspection.	5.0.12.RELEASE Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 5.0.13.RELEASE Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 5.1.5.RELEASE Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 5.1.6.RELEASE Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-fra1-reqm-kfdb Aliases: CVE-2020-5421 GHSA-rv39-3qh7-9v7w	Remote file disclosure In Spring Framework the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.	5.0.18.RELEASE Affected by 0 other vulnerabilities. 5.0.19.RELEASE Affected by 0 other vulnerabilities. 5.1.17.RELEASE Affected by 0 other vulnerabilities. 5.1.18.RELEASE Affected by 0 other vulnerabilities. 5.2.8.RELEASE Affected by 0 other vulnerabilities. 5.2.9.RELEASE Affected by 0 other vulnerabilities.
VCID-jasw-zntp-nkdd Aliases: CVE-2018-1258 GHSA-cxrj-66c5-9fmh	Incorrect Authorization Spring Framework when used in combination with Spring Security contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted.	5.0.6.RELEASE Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-3p1k-4ges-1fev
Aliases:
CVE-2019-3795
GHSA-v2r2-7qm7-jj6v

Insufficient Entropy in PRNG Spring Security contain an insecure randomness vulnerability when using `SecureRandomFactoryBean#setSeed` to configure a `SecureRandom` instance. In order to be impacted, an honest application must provide a seed and make the resulting random material available to an attacker for inspection.

5.0.12.RELEASE
Affected by 1 other vulnerability.

5.0.13.RELEASE
Affected by 1 other vulnerability.

5.1.5.RELEASE
Affected by 1 other vulnerability.

5.1.6.RELEASE
Affected by 1 other vulnerability.

VCID-fra1-reqm-kfdb
Aliases:
CVE-2020-5421
GHSA-rv39-3qh7-9v7w

Remote file disclosure In Spring Framework the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.

5.0.18.RELEASE
Affected by 0 other vulnerabilities.

5.0.19.RELEASE
Affected by 0 other vulnerabilities.

5.1.17.RELEASE
Affected by 0 other vulnerabilities.

5.1.18.RELEASE
Affected by 0 other vulnerabilities.

5.2.8.RELEASE
Affected by 0 other vulnerabilities.

5.2.9.RELEASE
Affected by 0 other vulnerabilities.

VCID-jasw-zntp-nkdd
Aliases:
CVE-2018-1258
GHSA-cxrj-66c5-9fmh

Incorrect Authorization Spring Framework when used in combination with Spring Security contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted.

5.0.6.RELEASE
Affected by 2 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-2327-21sr-mfgx	Improper Privilege Management When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.	CVE-2018-1272 GHSA-4487-x383-qpph
VCID-72ga-q9u7-sfav	Improperly Implemented Security Check for Standard Spring Framework allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.	CVE-2018-1275 GHSA-3rmv-2pg5-xvqj

Vulnerability

Summary

Aliases

VCID-2327-21sr-mfgx

Improper Privilege Management When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.

CVE-2018-1272
GHSA-4487-x383-qpph

VCID-72ga-q9u7-sfav

Improperly Implemented Security Check for Standard Spring Framework allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.

CVE-2018-1275
GHSA-3rmv-2pg5-xvqj

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-04T20:39:06.752865+00:00	GitLab Importer	Affected by	VCID-fra1-reqm-kfdb	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework/spring-core/CVE-2020-5421.yml	38.6.0
2026-06-04T20:20:33.701151+00:00	GitLab Importer	Affected by	VCID-3p1k-4ges-1fev	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework/spring-core/CVE-2019-3795.yml	38.6.0
2026-06-04T20:16:04.144481+00:00	GitLab Importer	Fixing	VCID-72ga-q9u7-sfav	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework/spring-core/CVE-2018-1275.yml	38.6.0
2026-06-04T20:16:00.111795+00:00	GitLab Importer	Fixing	VCID-2327-21sr-mfgx	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework/spring-core/CVE-2018-1272.yml	38.6.0
2026-06-04T18:23:33.106527+00:00	GHSA Importer	Affected by	VCID-jasw-zntp-nkdd	https://github.com/advisories/GHSA-cxrj-66c5-9fmh	38.6.0
2026-06-04T17:38:35.104702+00:00	GithubOSV Importer	Affected by	VCID-jasw-zntp-nkdd	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-cxrj-66c5-9fmh/GHSA-cxrj-66c5-9fmh.json	38.6.0
2026-06-02T04:37:41.499922+00:00	GitLab Importer	Affected by	VCID-jasw-zntp-nkdd	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework/spring-core/CVE-2018-1258.yml	38.6.0