VulnerableCode Package Details - pkg:maven/org.springframework/spring-web@5.2.14.RELEASE

Search for packages

Vulnerability	Summary	Fixed by
VCID-9as2-tdkt-fkbv Aliases: CVE-2024-38809 GHSA-2rmj-mq67-h97g	Applications that parse ETags from "If-Match" or "If-None-Match" request headers are vulnerable to DoS attack. Users of affected versions should upgrade to the corresponding fixed version. Users of older, unsupported versions could enforce a size limit on "If-Match" and "If-None-Match" headers, e.g. through a Filter.	5.3.38 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 6.0.23 Affected by 0 other vulnerabilities. 6.1.12 Affected by 0 other vulnerabilities.
VCID-hbk6-efuv-yyd3 Aliases: CVE-2024-22262 GHSA-2wrp-6fg6-hmc5	Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks. This is the same as CVE-2024-22259 https://spring.io/security/cve-2024-22259 and CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input.	5.3.34 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 6.0.19 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 6.1.6 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-u6zd-kfvz-xbag Aliases: CVE-2016-1000027 GHSA-4wrc-f8pq-fpqp	Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.	6.0.0 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-9as2-tdkt-fkbv
Aliases:
CVE-2024-38809
GHSA-2rmj-mq67-h97g

Applications that parse ETags from "If-Match" or "If-None-Match" request headers are vulnerable to DoS attack. Users of affected versions should upgrade to the corresponding fixed version. Users of older, unsupported versions could enforce a size limit on "If-Match" and "If-None-Match" headers, e.g. through a Filter.

5.3.38
Affected by 1 other vulnerability.

6.0.23
Affected by 0 other vulnerabilities.

6.1.12
Affected by 0 other vulnerabilities.

VCID-hbk6-efuv-yyd3
Aliases:
CVE-2024-22262
GHSA-2wrp-6fg6-hmc5

Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks. This is the same as CVE-2024-22259 https://spring.io/security/cve-2024-22259 and CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input.

5.3.34
Affected by 2 other vulnerabilities.

6.0.19
Affected by 1 other vulnerability.

6.1.6
Affected by 1 other vulnerability.

VCID-u6zd-kfvz-xbag
Aliases:
CVE-2016-1000027
GHSA-4wrc-f8pq-fpqp

Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.

6.0.0
Affected by 4 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-12T19:41:10.199569+00:00	GitLab Importer	Affected by	VCID-9as2-tdkt-fkbv	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework/spring-web/CVE-2024-38809.yml	38.6.0
2026-06-12T19:25:37.719451+00:00	GitLab Importer	Affected by	VCID-hbk6-efuv-yyd3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework/spring-web/CVE-2024-22262.yml	38.6.0
2026-06-12T18:24:19.533349+00:00	GitLab Importer	Affected by	VCID-u6zd-kfvz-xbag	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework/spring-web/CVE-2016-1000027.yml	38.6.0