Search for packages
| purl | pkg:maven/org.springframework/spring-webmvc@3.2.4.RELEASE |
| Next non-vulnerable version | 5.2.20.RELEASE |
| Latest non-vulnerable version | 7.0.6 |
| Risk | 10.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-53gt-nbgk-hyc2
Aliases: CVE-2014-3578 GHSA-rhcg-rwhx-qj3j |
Directory traversal vulnerability in Pivotal Spring Framework 3.x before 3.2.9 and 4.0 before 4.0.5 allows remote attackers to read arbitrary files via a crafted URL. |
Affected by 6 other vulnerabilities. Affected by 5 other vulnerabilities. |
|
VCID-9v66-xp9z-8kea
Aliases: CVE-2014-3625 GHSA-hhm4-hwq6-3c6w |
Directory traversal vulnerability in Pivotal Spring Framework 3.0.4 through 3.2.x before 3.2.12, 4.0.x before 4.0.8, and 4.1.x before 4.1.2 allows remote attackers to read arbitrary files via unspecified vectors, related to static resource handling. |
Affected by 0 other vulnerabilities. Affected by 5 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-ajex-5x84-8ygb
Aliases: CVE-2014-1904 GHSA-ff7p-jqjm-v66h |
Cross-site scripting (XSS) vulnerability in web/servlet/tags/form/FormTag.java in Spring MVC in Spring Framework 3.0.0 before 3.2.8 and 4.0.0 before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the requested URI in a default action. |
Affected by 7 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-cyjt-4vjn-mbc7
Aliases: CVE-2022-22965 GHSA-36p3-wjmg-h94x GMS-2022-558 GMS-2022-559 GMS-2022-560 GMS-2022-561 |
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in org.springframework.boot:spring-boot-starter-webflux. |
Affected by 0 other vulnerabilities. Affected by 1 other vulnerability. |
|
VCID-fv26-nhx4-dqd3
Aliases: CVE-2018-1271 GHSA-g8hw-794c-4j9g |
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack. |
Affected by 3 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-j3wr-npbv-8qcw
Aliases: CVE-2016-9878 GHSA-2m8h-fgr8-2q9w |
An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks. |
Affected by 0 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 1 other vulnerability. Affected by 4 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 5 other vulnerabilities. |
|
VCID-pb7f-yasx-17ag
Aliases: CVE-2018-1272 GHSA-4487-x383-qpph |
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles. |
Affected by 3 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-r384-aque-vqcw
Aliases: CVE-2014-0225 GHSA-f93f-g33r-8pcp |
When processing user provided XML documents, the Spring Framework 4.0.0 to 4.0.4, 3.0.0 to 3.2.8, and possibly earlier unsupported versions did not disable by default the resolution of URI references in a DTD declaration. This enabled an XXE attack. |
Affected by 0 other vulnerabilities. Affected by 7 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 5 other vulnerabilities. |
|
VCID-vkf8-5z5m-wqc7
Aliases: CVE-2014-0054 GHSA-8cmm-qj8g-fcp6 |
The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429. |
Affected by 0 other vulnerabilities. Affected by 7 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-y3uz-etva-sufh
Aliases: CVE-2020-5421 GHSA-rv39-3qh7-9v7w |
Improper Input Validation in Spring Framework In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter. |
Affected by 4 other vulnerabilities. Affected by 1 other vulnerability. Affected by 1 other vulnerability. Affected by 1 other vulnerability. Affected by 1 other vulnerability. Affected by 1 other vulnerability. Affected by 1 other vulnerability. Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||