{"url":"http://public2.vulnerablecode.io/api/packages/198403?format=json","purl":"pkg:maven/org.springframework/spring-webmvc@3.2.4.RELEASE","type":"maven","namespace":"org.springframework","name":"spring-webmvc","version":"3.2.4.RELEASE","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"3.2.8","latest_non_vulnerable_version":"7.0.7","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/39552?format=json","vulnerability_id":"VCID-2327-21sr-mfgx","summary":"Improper Privilege Management\nWhen Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.","references":[{"reference_url":"https://access.redhat.com/errata/RHSA-2018:1320","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://access.redhat.com/errata/RHSA-2018:1320"},{"reference_url":"https://access.redhat.com/errata/RHSA-2018:2669","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://access.redhat.com/errata/RHSA-2018:2669"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-1272.json","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-1272.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-1272","reference_id":"","reference_type":"","scores":[{"value":"0.02166","scoring_system":"epss","scoring_elements":"0.84618","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-1272"},{"reference_url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/141286","reference_id":"","reference_type":"","scores":[],"url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/141286"},{"reference_url":"https://github.com/spring-projects/spring-framework/commit/ab2410c754b67902f002bfcc0c3895bd7772d39","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-framework/commit/ab2410c754b67902f002bfcc0c3895bd7772d39"},{"reference_url":"https://github.com/spring-projects/spring-framework/commit/e02ff3a0da50744b0980d5d665fd242eedea767","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-framework/commit/e02ff3a0da50744b0980d5d665fd242eedea767"},{"reference_url":"https://www.oracle.com/security-alerts/cpujul2020.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpujul2020.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpuoct2021.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpuoct2021.html"},{"reference_url":"https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"},{"reference_url":"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"},{"reference_url":"http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"},{"reference_url":"http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html"},{"reference_url":"http://www.securityfocus.com/bid/103697","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.securityfocus.com/bid/103697"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1564408","reference_id":"1564408","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1564408"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895114","reference_id":"895114","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895114"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1272","reference_id":"CVE-2018-1272","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1272"},{"reference_url":"https://pivotal.io/security/cve-2018-1272","reference_id":"CVE-2018-1272","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://pivotal.io/security/cve-2018-1272"},{"reference_url":"https://github.com/advisories/GHSA-4487-x383-qpph","reference_id":"GHSA-4487-x383-qpph","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4487-x383-qpph"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/55347?format=json","purl":"pkg:maven/org.springframework/spring-webmvc@4.3.15.RELEASE","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dakn-kfyh-syab"},{"vulnerability":"VCID-fra1-reqm-kfdb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-webmvc@4.3.15.RELEASE"},{"url":"http://public2.vulnerablecode.io/api/packages/55346?format=json","purl":"pkg:maven/org.springframework/spring-webmvc@5.0.5.RELEASE","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dakn-kfyh-syab"},{"vulnerability":"VCID-fra1-reqm-kfdb"},{"vulnerability":"VCID-tsjn-scdc-fqh3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-webmvc@5.0.5.RELEASE"}],"aliases":["CVE-2018-1272","GHSA-4487-x383-qpph"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2327-21sr-mfgx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37648?format=json","vulnerability_id":"VCID-4ut8-z444-puhf","summary":"Cross-site scripting flaw\nCross-site scripting (XSS) vulnerability in `web/servlet/tags/form/FormTag.java` in Spring MVC in this package allows remote attackers to inject arbitrary web script or HTML via the requested URI in a default action.","references":[{"reference_url":"http://docs.spring.io/spring/docs/3.2.8.RELEASE/changelog.txt","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://docs.spring.io/spring/docs/3.2.8.RELEASE/changelog.txt"},{"reference_url":"http://rhn.redhat.com/errata/RHSA-2014-0400.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://rhn.redhat.com/errata/RHSA-2014-0400.html"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2014-1904.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2014-1904.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2014-1904","reference_id":"","reference_type":"","scores":[{"value":"0.0181","scoring_system":"epss","scoring_elements":"0.83173","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2014-1904"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0054","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0054"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1904","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1904"},{"reference_url":"http://seclists.org/fulldisclosure/2014/Mar/101","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://seclists.org/fulldisclosure/2014/Mar/101"},{"reference_url":"http://secunia.com/advisories/57915","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://secunia.com/advisories/57915"},{"reference_url":"https://github.com/spring-projects/spring-framework","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-framework"},{"reference_url":"https://github.com/spring-projects/spring-framework/commit/741b4b229ae032bd17175b46f98673ce0bd2d485","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-framework/commit/741b4b229ae032bd17175b46f98673ce0bd2d485"},{"reference_url":"https://github.com/spring-projects/spring-framework/commit/75e08695a04980dbceae6789364717e9d8764d58","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/spring-projects/spring-framework/commit/75e08695a04980dbceae6789364717e9d8764d58"},{"reference_url":"https://github.com/spring-projects/spring-framework/commit/75e08695a04980dbceae6789364717e9d8764d58#diff-5c29d6685335045274d9908c5cd45e45","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-framework/commit/75e08695a04980dbceae6789364717e9d8764d58#diff-5c29d6685335045274d9908c5cd45e45"},{"reference_url":"https://jira.springsource.org/browse/SPR-11426","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://jira.springsource.org/browse/SPR-11426"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2014-1904","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2014-1904"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1075296","reference_id":"1075296","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1075296"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=741604","reference_id":"741604","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=741604"},{"reference_url":"https://bugzilla.redhat.com/CVE-2014-1904","reference_id":"CVE-2014-1904","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/CVE-2014-1904"},{"reference_url":"http://www.gopivotal.com/security/cve-2014-1904","reference_id":"CVE-2014-1904","reference_type":"","scores":[],"url":"http://www.gopivotal.com/security/cve-2014-1904"},{"reference_url":"https://access.redhat.com/errata/RHSA-2014:0400","reference_id":"RHSA-2014:0400","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2014:0400"},{"reference_url":"https://access.redhat.com/errata/RHSA-2014:0401","reference_id":"RHSA-2014:0401","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2014:0401"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/51784?format=json","purl":"pkg:maven/org.springframework/spring-webmvc@3.2.8.RELEASE","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2327-21sr-mfgx"},{"vulnerability":"VCID-envb-buqd-r3dt"},{"vulnerability":"VCID-fra1-reqm-kfdb"},{"vulnerability":"VCID-kvhz-7nfu-2kdx"},{"vulnerability":"VCID-tj95-xfgu-pya7"},{"vulnerability":"VCID-vgyx-gshk-tbcx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-webmvc@3.2.8.RELEASE"},{"url":"http://public2.vulnerablecode.io/api/packages/51785?format=json","purl":"pkg:maven/org.springframework/spring-webmvc@4.0.2.RELEASE","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2327-21sr-mfgx"},{"vulnerability":"VCID-envb-buqd-r3dt"},{"vulnerability":"VCID-fra1-reqm-kfdb"},{"vulnerability":"VCID-kvhz-7nfu-2kdx"},{"vulnerability":"VCID-tj95-xfgu-pya7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-webmvc@4.0.2.RELEASE"}],"aliases":["CVE-2014-1904","GHSA-ff7p-jqjm-v66h"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4ut8-z444-puhf"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/39553?format=json","vulnerability_id":"VCID-envb-buqd-r3dt","summary":"Path Traversal\nSpring Framework allows applications to configure Spring MVC to serve static resources (e.g., CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the `ServletContext`), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.","references":[{"reference_url":"https://access.redhat.com/errata/RHSA-2018:1320","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://access.redhat.com/errata/RHSA-2018:1320"},{"reference_url":"https://access.redhat.com/errata/RHSA-2018:2669","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://access.redhat.com/errata/RHSA-2018:2669"},{"reference_url":"https://access.redhat.com/errata/RHSA-2018:2939","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://access.redhat.com/errata/RHSA-2018:2939"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-1271.json","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-1271.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-1271","reference_id":"","reference_type":"","scores":[{"value":"0.90996","scoring_system":"epss","scoring_elements":"0.99651","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-1271"},{"reference_url":"https://github.com/spring-projects/spring-framework/commit/0e28bee0f155b9bf240b4bafc4646e4810cb23f","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/spring-projects/spring-framework/commit/0e28bee0f155b9bf240b4bafc4646e4810cb23f"},{"reference_url":"https://github.com/spring-projects/spring-framework/commit/0e28bee0f155b9bf240b4bafc4646e4810cb23f8","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-framework/commit/0e28bee0f155b9bf240b4bafc4646e4810cb23f8"},{"reference_url":"https://github.com/spring-projects/spring-framework/commit/13356a7ee2240f740737c5c83bdccdacc30603a","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/spring-projects/spring-framework/commit/13356a7ee2240f740737c5c83bdccdacc30603a"},{"reference_url":"https://github.com/spring-projects/spring-framework/commit/13356a7ee2240f740737c5c83bdccdacc30603ab","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-framework/commit/13356a7ee2240f740737c5c83bdccdacc30603ab"},{"reference_url":"https://github.com/spring-projects/spring-framework/commit/695bf2961feffd35b5560ccc982a2189dcca611","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/spring-projects/spring-framework/commit/695bf2961feffd35b5560ccc982a2189dcca611"},{"reference_url":"https://github.com/spring-projects/spring-framework/commit/695bf2961feffd35b5560ccc982a2189dcca611f","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-framework/commit/695bf2961feffd35b5560ccc982a2189dcca611f"},{"reference_url":"https://github.com/spring-projects/spring-framework/commit/91b803a2310344d925e5d4b1709bbcea9037554","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/spring-projects/spring-framework/commit/91b803a2310344d925e5d4b1709bbcea9037554"},{"reference_url":"https://github.com/spring-projects/spring-framework/commit/91b803a2310344d925e5d4b1709bbcea90375548","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-framework/commit/91b803a2310344d925e5d4b1709bbcea90375548"},{"reference_url":"https://github.com/spring-projects/spring-framework/commit/98ad23bef8e2e04143f8f5b201380543a8d8c0c","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/spring-projects/spring-framework/commit/98ad23bef8e2e04143f8f5b201380543a8d8c0c"},{"reference_url":"https://github.com/spring-projects/spring-framework/commit/98ad23bef8e2e04143f8f5b201380543a8d8c0c3","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-framework/commit/98ad23bef8e2e04143f8f5b201380543a8d8c0c3"},{"reference_url":"https://github.com/spring-projects/spring-framework/commit/b9ebdaaf3710db473a2e1fec8641c316483a22a","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/spring-projects/spring-framework/commit/b9ebdaaf3710db473a2e1fec8641c316483a22a"},{"reference_url":"https://github.com/spring-projects/spring-framework/commit/b9ebdaaf3710db473a2e1fec8641c316483a22aa","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-framework/commit/b9ebdaaf3710db473a2e1fec8641c316483a22aa"},{"reference_url":"https://github.com/spring-projects/spring-framework/commit/f046a066eceefa0799d1bc89bd6e1318f39bdf69","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-framework/commit/f046a066eceefa0799d1bc89bd6e1318f39bdf69"},{"reference_url":"https://github.com/spring-projects/spring-framework/commit/f59ea610dfcf55cd0b42f6dd76a9b3dab0218aa","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/spring-projects/spring-framework/commit/f59ea610dfcf55cd0b42f6dd76a9b3dab0218aa"},{"reference_url":"https://github.com/spring-projects/spring-framework/commit/f59ea610dfcf55cd0b42f6dd76a9b3dab0218aaa","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-framework/commit/f59ea610dfcf55cd0b42f6dd76a9b3dab0218aaa"},{"reference_url":"https://www.oracle.com/security-alerts/cpujul2020.html","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpujul2020.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpuoct2021.html","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpuoct2021.html"},{"reference_url":"https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"},{"reference_url":"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"},{"reference_url":"http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"},{"reference_url":"http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html"},{"reference_url":"http://www.securityfocus.com/bid/103699","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.securityfocus.com/bid/103699"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1571050","reference_id":"1571050","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1571050"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1271","reference_id":"CVE-2018-1271","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1271"},{"reference_url":"https://pivotal.io/security/cve-2018-1271","reference_id":"CVE-2018-1271","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://pivotal.io/security/cve-2018-1271"},{"reference_url":"https://github.com/advisories/GHSA-g8hw-794c-4j9g","reference_id":"GHSA-g8hw-794c-4j9g","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-g8hw-794c-4j9g"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/55347?format=json","purl":"pkg:maven/org.springframework/spring-webmvc@4.3.15.RELEASE","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dakn-kfyh-syab"},{"vulnerability":"VCID-fra1-reqm-kfdb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-webmvc@4.3.15.RELEASE"},{"url":"http://public2.vulnerablecode.io/api/packages/55346?format=json","purl":"pkg:maven/org.springframework/spring-webmvc@5.0.5.RELEASE","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dakn-kfyh-syab"},{"vulnerability":"VCID-fra1-reqm-kfdb"},{"vulnerability":"VCID-tsjn-scdc-fqh3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-webmvc@5.0.5.RELEASE"}],"aliases":["CVE-2018-1271","GHSA-g8hw-794c-4j9g"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-envb-buqd-r3dt"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/53648?format=json","vulnerability_id":"VCID-fra1-reqm-kfdb","summary":"Remote file disclosure\nIn Spring Framework the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-5421.json","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-5421.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-5421","reference_id":"","reference_type":"","scores":[{"value":"0.63828","scoring_system":"epss","scoring_elements":"0.98444","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-5421"},{"reference_url":"https://lists.apache.org/thread.html/r1c679c43fa4f7846d748a937955c7921436d1b315445978254442163@%3Ccommits.ambari.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r1c679c43fa4f7846d748a937955c7921436d1b315445978254442163@%3Ccommits.ambari.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r1eccdbd7986618a7319ee7a533bd9d9bf6e8678e59dd4cca9b5b2d7a@%3Cissues.ambari.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r1eccdbd7986618a7319ee7a533bd9d9bf6e8678e59dd4cca9b5b2d7a@%3Cissues.ambari.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r3589ed0d18edeb79028615080d5a0e8878856436bb91774a3196d9eb@%3Ccommits.pulsar.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r3589ed0d18edeb79028615080d5a0e8878856436bb91774a3196d9eb@%3Ccommits.pulsar.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r503e64b43a57fd68229cac4a869d1a9a2eac9e75f8719cad3a840211@%3Ccommits.pulsar.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r503e64b43a57fd68229cac4a869d1a9a2eac9e75f8719cad3a840211@%3Ccommits.pulsar.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r5c95eff679dfc642e9e4ab5ac6d202248a59cb1e9457cfbe8b729ac5@%3Cissues.ambari.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r5c95eff679dfc642e9e4ab5ac6d202248a59cb1e9457cfbe8b729ac5@%3Cissues.ambari.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r7e6a213eea7f04fc6d9e3bd6eb8d68c4df92a22e956e95cb2c482865@%3Cissues.hive.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r7e6a213eea7f04fc6d9e3bd6eb8d68c4df92a22e956e95cb2c482865@%3Cissues.hive.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r8b496b1743d128e6861ee0ed3c3c48cc56c505b38f84fa5baf7ae33a@%3Cdev.ambari.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r8b496b1743d128e6861ee0ed3c3c48cc56c505b38f84fa5baf7ae33a@%3Cdev.ambari.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r918caad55dcc640a16753b00d8d6acb90b4e36de4b6156d0867246ec@%3Ccommits.pulsar.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r918caad55dcc640a16753b00d8d6acb90b4e36de4b6156d0867246ec@%3Ccommits.pulsar.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r9f13cccb214495e14648d2c9b8f2c6072fd5219e74502dd35ede81e1@%3Cdev.ambari.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r9f13cccb214495e14648d2c9b8f2c6072fd5219e74502dd35ede81e1@%3Cdev.ambari.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/ra889d95141059c6cbe77dd80249bb488ae53b274b5f3abad09d9511d@%3Cuser.ignite.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/ra889d95141059c6cbe77dd80249bb488ae53b274b5f3abad09d9511d@%3Cuser.ignite.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/raf7ca57033e537e4f9d7df7f192fa6968c1e49409b2348e08d807ccb@%3Cuser.ignite.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/raf7ca57033e537e4f9d7df7f192fa6968c1e49409b2348e08d807ccb@%3Cuser.ignite.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/rb18ed999153ef0f0cb7af03efe0046c42c7242fd77fbd884a75ecfdc@%3Ccommits.pulsar.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/rb18ed999153ef0f0cb7af03efe0046c42c7242fd77fbd884a75ecfdc@%3Ccommits.pulsar.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/rc9efaf6db98bee19db1bc911d0fa442287dac5cb229d4aaa08b6a13d@%3Cissues.hive.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/rc9efaf6db98bee19db1bc911d0fa442287dac5cb229d4aaa08b6a13d@%3Cissues.hive.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/rd462a8b0dfab4c15e67c0672cd3c211ecd0e4f018f824082ed54f665@%3Cissues.hive.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/rd462a8b0dfab4c15e67c0672cd3c211ecd0e4f018f824082ed54f665@%3Cissues.hive.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/re014a49d77f038ba70e5e9934d400af6653e8c9ac110d32b1254127e@%3Cdev.ranger.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/re014a49d77f038ba70e5e9934d400af6653e8c9ac110d32b1254127e@%3Cdev.ranger.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/rf00d8f4101a1c1ea4de6ea1e09ddf7472cfd306745c90d6da87ae074@%3Cdev.hive.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/rf00d8f4101a1c1ea4de6ea1e09ddf7472cfd306745c90d6da87ae074@%3Cdev.hive.apache.org%3E"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210513-0009","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20210513-0009"},{"reference_url":"https://www.oracle.com/security-alerts/cpuApr2021.html","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpuapr2022.html","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpujan2021.html","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpujan2022.html","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"reference_url":"https://www.oracle.com//security-alerts/cpujul2021.html","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpuoct2021.html","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpuoct2021.html"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1881158","reference_id":"1881158","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1881158"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=973381","reference_id":"973381","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=973381"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-5421","reference_id":"CVE-2020-5421","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-5421"},{"reference_url":"https://tanzu.vmware.com/security/cve-2020-5421","reference_id":"CVE-2020-5421","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://tanzu.vmware.com/security/cve-2020-5421"},{"reference_url":"https://github.com/advisories/GHSA-rv39-3qh7-9v7w","reference_id":"GHSA-rv39-3qh7-9v7w","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-rv39-3qh7-9v7w"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:3140","reference_id":"RHSA-2021:3140","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:3140"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/55343?format=json","purl":"pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2327-21sr-mfgx"},{"vulnerability":"VCID-dakn-kfyh-syab"},{"vulnerability":"VCID-envb-buqd-r3dt"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE"},{"url":"http://public2.vulnerablecode.io/api/packages/273074?format=json","purl":"pkg:maven/org.springframework/spring-webmvc@4.3.28.RELEASE","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-webmvc@4.3.28.RELEASE"},{"url":"http://public2.vulnerablecode.io/api/packages/78777?format=json","purl":"pkg:maven/org.springframework/spring-webmvc@4.3.29.RELEASE","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-webmvc@4.3.29.RELEASE"},{"url":"http://public2.vulnerablecode.io/api/packages/273076?format=json","purl":"pkg:maven/org.springframework/spring-webmvc@5.0.18.RELEASE","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-webmvc@5.0.18.RELEASE"},{"url":"http://public2.vulnerablecode.io/api/packages/78778?format=json","purl":"pkg:maven/org.springframework/spring-webmvc@5.0.19.RELEASE","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-webmvc@5.0.19.RELEASE"},{"url":"http://public2.vulnerablecode.io/api/packages/273079?format=json","purl":"pkg:maven/org.springframework/spring-webmvc@5.1.17.RELEASE","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-webmvc@5.1.17.RELEASE"},{"url":"http://public2.vulnerablecode.io/api/packages/78779?format=json","purl":"pkg:maven/org.springframework/spring-webmvc@5.1.18.RELEASE","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-webmvc@5.1.18.RELEASE"},{"url":"http://public2.vulnerablecode.io/api/packages/273084?format=json","purl":"pkg:maven/org.springframework/spring-webmvc@5.2.8.RELEASE","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-webmvc@5.2.8.RELEASE"},{"url":"http://public2.vulnerablecode.io/api/packages/78780?format=json","purl":"pkg:maven/org.springframework/spring-webmvc@5.2.9.RELEASE","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-webmvc@5.2.9.RELEASE"}],"aliases":["CVE-2020-5421","GHSA-rv39-3qh7-9v7w"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fra1-reqm-kfdb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37664?format=json","vulnerability_id":"VCID-hb8j-4quw-fyhy","summary":"XML External Entities\nThis package does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.","references":[{"reference_url":"http://rhn.redhat.com/errata/RHSA-2014-0400.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://rhn.redhat.com/errata/RHSA-2014-0400.html"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2014-0054.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2014-0054.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2014-0054","reference_id":"","reference_type":"","scores":[{"value":"0.02548","scoring_system":"epss","scoring_elements":"0.85755","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2014-0054"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0054","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0054"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1904","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1904"},{"reference_url":"https://github.com/spring-projects/spring-framework/commit/1a8629d40825c073b6863ae2ab748b647b28506a","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-framework/commit/1a8629d40825c073b6863ae2ab748b647b28506a"},{"reference_url":"https://github.com/spring-projects/spring-framework/commit/1c5cab2a4069ec3239c531d741aeb07a434f521b","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-framework/commit/1c5cab2a4069ec3239c531d741aeb07a434f521b"},{"reference_url":"https://github.com/spring-projects/spring-framework/commit/edba32b3093703d5e9ed42b5b8ec23ecc1998398","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-framework/commit/edba32b3093703d5e9ed42b5b8ec23ecc1998398"},{"reference_url":"https://github.com/spring-projects/spring-framework/commit/fb0683c066e74e9667d6cd8c5fa01f674c68c3be","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-framework/commit/fb0683c066e74e9667d6cd8c5fa01f674c68c3be"},{"reference_url":"https://github.com/spring-projects/spring-framework/issues/16003","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-framework/issues/16003"},{"reference_url":"https://jira.spring.io/browse/SPR-11376","reference_id":"","reference_type":"","scores":[],"url":"https://jira.spring.io/browse/SPR-11376"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2014-0054","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2014-0054"},{"reference_url":"http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0054","reference_id":"","reference_type":"","scores":[],"url":"http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0054"},{"reference_url":"http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1075328","reference_id":"1075328","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1075328"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=741604","reference_id":"741604","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=741604"},{"reference_url":"http://www.pivotal.io/security/cve-2014-0054","reference_id":"CVE-2014-0054","reference_type":"","scores":[],"url":"http://www.pivotal.io/security/cve-2014-0054"},{"reference_url":"https://access.redhat.com/errata/RHSA-2014:0400","reference_id":"RHSA-2014:0400","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2014:0400"},{"reference_url":"https://access.redhat.com/errata/RHSA-2014:0401","reference_id":"RHSA-2014:0401","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2014:0401"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/62634?format=json","purl":"pkg:maven/org.springframework/spring-webmvc@3.2.8","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-webmvc@3.2.8"},{"url":"http://public2.vulnerablecode.io/api/packages/51784?format=json","purl":"pkg:maven/org.springframework/spring-webmvc@3.2.8.RELEASE","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2327-21sr-mfgx"},{"vulnerability":"VCID-envb-buqd-r3dt"},{"vulnerability":"VCID-fra1-reqm-kfdb"},{"vulnerability":"VCID-kvhz-7nfu-2kdx"},{"vulnerability":"VCID-tj95-xfgu-pya7"},{"vulnerability":"VCID-vgyx-gshk-tbcx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-webmvc@3.2.8.RELEASE"},{"url":"http://public2.vulnerablecode.io/api/packages/150446?format=json","purl":"pkg:maven/org.springframework/spring-webmvc@4.0.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-webmvc@4.0.2"},{"url":"http://public2.vulnerablecode.io/api/packages/51785?format=json","purl":"pkg:maven/org.springframework/spring-webmvc@4.0.2.RELEASE","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2327-21sr-mfgx"},{"vulnerability":"VCID-envb-buqd-r3dt"},{"vulnerability":"VCID-fra1-reqm-kfdb"},{"vulnerability":"VCID-kvhz-7nfu-2kdx"},{"vulnerability":"VCID-tj95-xfgu-pya7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-webmvc@4.0.2.RELEASE"}],"aliases":["CVE-2014-0054","GHSA-8cmm-qj8g-fcp6"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hb8j-4quw-fyhy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37811?format=json","vulnerability_id":"VCID-kvhz-7nfu-2kdx","summary":"Directory traversal flaw\nDirectory traversal vulnerability in this package allows remote attackers to read arbitrary files via a crafted URL.","references":[{"reference_url":"http://jvndb.jvn.jp/en/contents/2014/JVNDB-2014-000054.html","reference_id":"","reference_type":"","scores":[],"url":"http://jvndb.jvn.jp/en/contents/2014/JVNDB-2014-000054.html"},{"reference_url":"http://jvndb.jvn.jp/jvndb/JVNDB-2014-000054","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://jvndb.jvn.jp/jvndb/JVNDB-2014-000054"},{"reference_url":"http://jvn.jp/en/jp/JVN49154900/index.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://jvn.jp/en/jp/JVN49154900/index.html"},{"reference_url":"http://rhn.redhat.com/errata/RHSA-2015-0720.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://rhn.redhat.com/errata/RHSA-2015-0720.html"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2014-3578.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2014-3578.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2014-3578","reference_id":"","reference_type":"","scores":[{"value":"0.04358","scoring_system":"epss","scoring_elements":"0.8913","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2014-3578"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1131882","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1131882"},{"reference_url":"https://github.com/spring-projects/spring-framework","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-framework"},{"reference_url":"https://github.com/spring-projects/spring-framework/commit/748167bfa33c3c69db2d8dbdc3a0e9da692da3a0","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-framework/commit/748167bfa33c3c69db2d8dbdc3a0e9da692da3a0"},{"reference_url":"https://github.com/spring-projects/spring-framework/commit/8e096aeef55287dc829484996c9330cf755891a1","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/spring-projects/spring-framework/commit/8e096aeef55287dc829484996c9330cf755891a1"},{"reference_url":"https://github.com/spring-projects/spring-framework/commit/8ee465103850a3dca018273fe5952e40d5c45a66","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-framework/commit/8ee465103850a3dca018273fe5952e40d5c45a66"},{"reference_url":"https://github.com/spring-projects/spring-framework/commit/c6503ebbf7c9e21ff022c58706dbac5417b2b5eb","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/spring-projects/spring-framework/commit/c6503ebbf7c9e21ff022c58706dbac5417b2b5eb"},{"reference_url":"https://github.com/spring-projects/spring-framework/commit/f6fddeb6eb7da625fd711ab371ff16512f431e8d","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-framework/commit/f6fddeb6eb7da625fd711ab371ff16512f431e8d"},{"reference_url":"https://github.com/spring-projects/spring-framework/issues/16414","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-framework/issues/16414"},{"reference_url":"https://jira.spring.io/browse/SPR-12354","reference_id":"","reference_type":"","scores":[],"url":"https://jira.spring.io/browse/SPR-12354"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2019/07/msg00012.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2019/07/msg00012.html"},{"reference_url":"https://rhn.redhat.com/errata/RHSA-2015-0234.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://rhn.redhat.com/errata/RHSA-2015-0234.html"},{"reference_url":"https://rhn.redhat.com/errata/RHSA-2015-0235.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://rhn.redhat.com/errata/RHSA-2015-0235.html"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=760733","reference_id":"760733","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=760733"},{"reference_url":"http://pivotal.io/security/cve-2014-3578","reference_id":"CVE-2014-3578","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://pivotal.io/security/cve-2014-3578"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2014-3578","reference_id":"CVE-2014-3578","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2014-3578"},{"reference_url":"http://www.pivotal.io/security/cve-2014-3578","reference_id":"CVE-2014-3578","reference_type":"","scores":[],"url":"http://www.pivotal.io/security/cve-2014-3578"},{"reference_url":"https://github.com/advisories/GHSA-rhcg-rwhx-qj3j","reference_id":"GHSA-rhcg-rwhx-qj3j","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-rhcg-rwhx-qj3j"},{"reference_url":"https://access.redhat.com/errata/RHSA-2015:0234","reference_id":"RHSA-2015:0234","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2015:0234"},{"reference_url":"https://access.redhat.com/errata/RHSA-2015:0235","reference_id":"RHSA-2015:0235","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2015:0235"},{"reference_url":"https://access.redhat.com/errata/RHSA-2015:0675","reference_id":"RHSA-2015:0675","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2015:0675"},{"reference_url":"https://access.redhat.com/errata/RHSA-2015:0720","reference_id":"RHSA-2015:0720","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2015:0720"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/52179?format=json","purl":"pkg:maven/org.springframework/spring-webmvc@3.2.9.RELEASE","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2327-21sr-mfgx"},{"vulnerability":"VCID-envb-buqd-r3dt"},{"vulnerability":"VCID-fra1-reqm-kfdb"},{"vulnerability":"VCID-tj95-xfgu-pya7"},{"vulnerability":"VCID-vgyx-gshk-tbcx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-webmvc@3.2.9.RELEASE"},{"url":"http://public2.vulnerablecode.io/api/packages/52180?format=json","purl":"pkg:maven/org.springframework/spring-webmvc@4.0.5.RELEASE","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2327-21sr-mfgx"},{"vulnerability":"VCID-envb-buqd-r3dt"},{"vulnerability":"VCID-fra1-reqm-kfdb"},{"vulnerability":"VCID-tj95-xfgu-pya7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-webmvc@4.0.5.RELEASE"}],"aliases":["CVE-2014-3578","GHSA-rhcg-rwhx-qj3j"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-kvhz-7nfu-2kdx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37776?format=json","vulnerability_id":"VCID-tj95-xfgu-pya7","summary":"Directory traversal flaw\nDirectory traversal vulnerability in this package allows remote attackers to read arbitrary files via unspecified vectors, related to static resource handling.","references":[{"reference_url":"http://rhn.redhat.com/errata/RHSA-2015-0236.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://rhn.redhat.com/errata/RHSA-2015-0236.html"},{"reference_url":"http://rhn.redhat.com/errata/RHSA-2015-0720.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://rhn.redhat.com/errata/RHSA-2015-0720.html"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2014-3625.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2014-3625.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2014-3625","reference_id":"","reference_type":"","scores":[{"value":"0.16987","scoring_system":"epss","scoring_elements":"0.951","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2014-3625"},{"reference_url":"https://github.com/spring-projects/spring-framework","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-framework"},{"reference_url":"https://github.com/spring-projects/spring-framework/commit/161d3e3049f129e211f68a4e94b544e0f0d8384d","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-framework/commit/161d3e3049f129e211f68a4e94b544e0f0d8384d"},{"reference_url":"https://github.com/spring-projects/spring-framework/commit/3f68cd633f03370d33c2603a6496e81273782601","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-framework/commit/3f68cd633f03370d33c2603a6496e81273782601"},{"reference_url":"https://github.com/spring-projects/spring-framework/commit/9beae9ae4226c45cd428035dae81214439324676","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-framework/commit/9beae9ae4226c45cd428035dae81214439324676"},{"reference_url":"https://github.com/spring-projects/spring-framework/commit/9cef8e3001ddd61c734281a7556efd84b6cc2755","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-framework/commit/9cef8e3001ddd61c734281a7556efd84b6cc2755"},{"reference_url":"https://jira.spring.io/browse/SPR-12354","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://jira.spring.io/browse/SPR-12354"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2019/07/msg00012.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2019/07/msg00012.html"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2014-3625","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2014-3625"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1165936","reference_id":"1165936","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1165936"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769698","reference_id":"769698","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769698"},{"reference_url":"https://bugzilla.redhat.com/CVE-2014-3625","reference_id":"CVE-2014-3625","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/CVE-2014-3625"},{"reference_url":"http://www.pivotal.io/security/cve-2014-3625","reference_id":"CVE-2014-3625","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.pivotal.io/security/cve-2014-3625"},{"reference_url":"https://access.redhat.com/errata/RHSA-2015:0234","reference_id":"RHSA-2015:0234","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2015:0234"},{"reference_url":"https://access.redhat.com/errata/RHSA-2015:0235","reference_id":"RHSA-2015:0235","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2015:0235"},{"reference_url":"https://access.redhat.com/errata/RHSA-2015:0236","reference_id":"RHSA-2015:0236","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2015:0236"},{"reference_url":"https://access.redhat.com/errata/RHSA-2015:0720","reference_id":"RHSA-2015:0720","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2015:0720"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/155984?format=json","purl":"pkg:maven/org.springframework/spring-webmvc@3.2.12","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-webmvc@3.2.12"},{"url":"http://public2.vulnerablecode.io/api/packages/52078?format=json","purl":"pkg:maven/org.springframework/spring-webmvc@3.2.12.RELEASE","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2327-21sr-mfgx"},{"vulnerability":"VCID-envb-buqd-r3dt"},{"vulnerability":"VCID-fra1-reqm-kfdb"},{"vulnerability":"VCID-vgyx-gshk-tbcx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-webmvc@3.2.12.RELEASE"},{"url":"http://public2.vulnerablecode.io/api/packages/155987?format=json","purl":"pkg:maven/org.springframework/spring-webmvc@4.0.8","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-webmvc@4.0.8"},{"url":"http://public2.vulnerablecode.io/api/packages/52079?format=json","purl":"pkg:maven/org.springframework/spring-webmvc@4.0.8.RELEASE","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2327-21sr-mfgx"},{"vulnerability":"VCID-envb-buqd-r3dt"},{"vulnerability":"VCID-fra1-reqm-kfdb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-webmvc@4.0.8.RELEASE"},{"url":"http://public2.vulnerablecode.io/api/packages/155990?format=json","purl":"pkg:maven/org.springframework/spring-webmvc@4.1.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-webmvc@4.1.2"},{"url":"http://public2.vulnerablecode.io/api/packages/52080?format=json","purl":"pkg:maven/org.springframework/spring-webmvc@4.1.2.RELEASE","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2327-21sr-mfgx"},{"vulnerability":"VCID-envb-buqd-r3dt"},{"vulnerability":"VCID-fra1-reqm-kfdb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-webmvc@4.1.2.RELEASE"}],"aliases":["CVE-2014-3625","GHSA-hhm4-hwq6-3c6w"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-tj95-xfgu-pya7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38330?format=json","vulnerability_id":"VCID-vgyx-gshk-tbcx","summary":"Path Traversal\nPaths provided to the `ResourceServlet` were not properly sanitized and as a result exposed to directory traversal attacks.","references":[{"reference_url":"https://access.redhat.com/errata/RHSA-2017:3115","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://access.redhat.com/errata/RHSA-2017:3115"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-9878.json","reference_id":"","reference_type":"","scores":[{"value":"5.6","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-9878.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2016-9878","reference_id":"","reference_type":"","scores":[{"value":"0.04927","scoring_system":"epss","scoring_elements":"0.89797","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2016-9878"},{"reference_url":"https://github.com/spring-projects/spring-framework","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-framework"},{"reference_url":"https://github.com/spring-projects/spring-framework/commit/43bf008fbcd0d7945e2fcd5e30039bc4d74c7a98","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-framework/commit/43bf008fbcd0d7945e2fcd5e30039bc4d74c7a98"},{"reference_url":"https://github.com/spring-projects/spring-framework/commit/a7dc48534ea501525f11369d369178a60c2f47d0","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-framework/commit/a7dc48534ea501525f11369d369178a60c2f47d0"},{"reference_url":"https://github.com/spring-projects/spring-framework/commit/e2d6e709c3c65a4951eb096843ee75d5200cfcad","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-framework/commit/e2d6e709c3c65a4951eb096843ee75d5200cfcad"},{"reference_url":"https://github.com/spring-projects/spring-framework/issues/19513","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-framework/issues/19513"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2019/07/msg00012.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2019/07/msg00012.html"},{"reference_url":"https://security.netapp.com/advisory/ntap-20180419-0002","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20180419-0002"},{"reference_url":"https://security.netapp.com/advisory/ntap-20180419-0002/","reference_id":"","reference_type":"","scores":[],"url":"https://security.netapp.com/advisory/ntap-20180419-0002/"},{"reference_url":"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"},{"reference_url":"http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"},{"reference_url":"http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html"},{"reference_url":"http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"},{"reference_url":"http://www.securityfocus.com/bid/95072","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.securityfocus.com/bid/95072"},{"reference_url":"http://www.securitytracker.com/id/1040698","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.securitytracker.com/id/1040698"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1408164","reference_id":"1408164","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1408164"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=849167","reference_id":"849167","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=849167"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2016-9878","reference_id":"CVE-2016-9878","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2016-9878"},{"reference_url":"https://pivotal.io/security/cve-2016-9878","reference_id":"CVE-2016-9878","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://pivotal.io/security/cve-2016-9878"},{"reference_url":"https://github.com/advisories/GHSA-2m8h-fgr8-2q9w","reference_id":"GHSA-2m8h-fgr8-2q9w","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2m8h-fgr8-2q9w"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/143376?format=json","purl":"pkg:maven/org.springframework/spring-webmvc@3.2.18","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-webmvc@3.2.18"},{"url":"http://public2.vulnerablecode.io/api/packages/53050?format=json","purl":"pkg:maven/org.springframework/spring-webmvc@3.2.18.RELEASE","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2327-21sr-mfgx"},{"vulnerability":"VCID-envb-buqd-r3dt"},{"vulnerability":"VCID-fra1-reqm-kfdb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-webmvc@3.2.18.RELEASE"},{"url":"http://public2.vulnerablecode.io/api/packages/78771?format=json","purl":"pkg:maven/org.springframework/spring-webmvc@4.2.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-fra1-reqm-kfdb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-webmvc@4.2.9"},{"url":"http://public2.vulnerablecode.io/api/packages/55343?format=json","purl":"pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2327-21sr-mfgx"},{"vulnerability":"VCID-dakn-kfyh-syab"},{"vulnerability":"VCID-envb-buqd-r3dt"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE"},{"url":"http://public2.vulnerablecode.io/api/packages/53051?format=json","purl":"pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE.4.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-webmvc@4.2.9.RELEASE.4.2"},{"url":"http://public2.vulnerablecode.io/api/packages/143378?format=json","purl":"pkg:maven/org.springframework/spring-webmvc@4.3.5","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-webmvc@4.3.5"},{"url":"http://public2.vulnerablecode.io/api/packages/53052?format=json","purl":"pkg:maven/org.springframework/spring-webmvc@4.3.5.RELEASE","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2327-21sr-mfgx"},{"vulnerability":"VCID-dakn-kfyh-syab"},{"vulnerability":"VCID-envb-buqd-r3dt"},{"vulnerability":"VCID-fra1-reqm-kfdb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-webmvc@4.3.5.RELEASE"}],"aliases":["CVE-2016-9878","GHSA-2m8h-fgr8-2q9w"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vgyx-gshk-tbcx"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-webmvc@3.2.4.RELEASE"}