Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:maven/org.springframework/spring-web@6.0.5
Typemaven
Namespaceorg.springframework
Namespring-web
Version6.0.5
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version6.1.12
Latest_non_vulnerable_version6.2.8
Affected_by_vulnerabilities
0
url VCID-1rv3-3z83-2yd1
vulnerability_id VCID-1rv3-3z83-2yd1
summary 
Spring Framework URL Parsing with Host Validation
Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a  open redirect https://cwe.mitre.org/data/definitions/601.html  attack or to a SSRF attack if the URL is used after passing validation checks.

This is the same as  CVE-2024-22259 https://spring.io/security/cve-2024-22259  and  CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-22262.json
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-22262.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-22262
reference_id
reference_type
scores
0
value 0.12634
scoring_system epss
scoring_elements 0.94108
published_at 2026-06-08T12:55:00Z
1
value 0.12634
scoring_system epss
scoring_elements 0.94113
published_at 2026-06-09T12:55:00Z
2
value 0.12634
scoring_system epss
scoring_elements 0.94107
published_at 2026-06-06T12:55:00Z
3
value 0.12634
scoring_system epss
scoring_elements 0.94109
published_at 2026-06-07T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-22262
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22262
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22262
3
reference_url https://github.com/spring-projects/spring-framework
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/spring-projects/spring-framework
4
reference_url https://github.com/spring-projects/spring-framework/blob/main/spring-web/src/main/java/org/springframework/web/util/UriComponentsBuilder.java
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/spring-projects/spring-framework/blob/main/spring-web/src/main/java/org/springframework/web/util/UriComponentsBuilder.java
5
reference_url https://security.netapp.com/advisory/ntap-20240524-0003
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20240524-0003
6
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2275257
reference_id 2275257
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2275257
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-22262
reference_id CVE-2024-22262
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-22262
8
reference_url https://spring.io/security/cve-2024-22262
reference_id CVE-2024-22262
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-08-27T03:55:13Z/
url https://spring.io/security/cve-2024-22262
9
reference_url https://github.com/advisories/GHSA-2wrp-6fg6-hmc5
reference_id GHSA-2wrp-6fg6-hmc5
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-2wrp-6fg6-hmc5
10
reference_url https://security.netapp.com/advisory/ntap-20240524-0003/
reference_id ntap-20240524-0003
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-08-27T03:55:13Z/
url https://security.netapp.com/advisory/ntap-20240524-0003/
11
reference_url https://access.redhat.com/errata/RHSA-2024:3708
reference_id RHSA-2024:3708
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:3708
fixed_packages
0
url pkg:maven/org.springframework/spring-web@6.0.19
purl pkg:maven/org.springframework/spring-web@6.0.19
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-7mrx-1x83-uugp
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-web@6.0.19
1
url pkg:maven/org.springframework/spring-web@6.1.6
purl pkg:maven/org.springframework/spring-web@6.1.6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-7mrx-1x83-uugp
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-web@6.1.6
aliases CVE-2024-22262, GHSA-2wrp-6fg6-hmc5
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-1rv3-3z83-2yd1
1
url VCID-7mrx-1x83-uugp
vulnerability_id VCID-7mrx-1x83-uugp
summary 
Spring Framework DoS via conditional HTTP request
Applications that parse ETags from `If-Match` or `If-None-Match` request headers are vulnerable to DoS attack.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-38809.json
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-38809.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-38809
reference_id
reference_type
scores
0
value 0.0014
scoring_system epss
scoring_elements 0.33873
published_at 2026-06-09T12:55:00Z
1
value 0.0014
scoring_system epss
scoring_elements 0.33847
published_at 2026-06-08T12:55:00Z
2
value 0.0014
scoring_system epss
scoring_elements 0.33881
published_at 2026-06-07T12:55:00Z
3
value 0.0014
scoring_system epss
scoring_elements 0.33916
published_at 2026-06-06T12:55:00Z
4
value 0.0014
scoring_system epss
scoring_elements 0.33901
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-38809
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-38809
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-38809
3
reference_url https://github.com/spring-projects/spring-framework
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/spring-projects/spring-framework
4
reference_url https://github.com/spring-projects/spring-framework/commit/582bfccbb72e5c8959a0b472d1dc7d03a20520f3
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/spring-projects/spring-framework/commit/582bfccbb72e5c8959a0b472d1dc7d03a20520f3
5
reference_url https://github.com/spring-projects/spring-framework/commit/8d16a50907c11f7e6b407d878a26e84eba08a533
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/spring-projects/spring-framework/commit/8d16a50907c11f7e6b407d878a26e84eba08a533
6
reference_url https://github.com/spring-projects/spring-framework/commit/bb17ad8314b81850a939fd265fb53b3361705e85
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/spring-projects/spring-framework/commit/bb17ad8314b81850a939fd265fb53b3361705e85
7
reference_url https://github.com/spring-projects/spring-framework/issues/33372
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/spring-projects/spring-framework/issues/33372
8
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2314495
reference_id 2314495
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2314495
9
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-38809
reference_id CVE-2024-38809
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-38809
10
reference_url https://spring.io/security/cve-2024-38809
reference_id CVE-2024-38809
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-27T18:49:57Z/
url https://spring.io/security/cve-2024-38809
11
reference_url https://github.com/advisories/GHSA-2rmj-mq67-h97g
reference_id GHSA-2rmj-mq67-h97g
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-2rmj-mq67-h97g
12
reference_url https://access.redhat.com/errata/RHSA-2024:8064
reference_id RHSA-2024:8064
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:8064
fixed_packages
0
url pkg:maven/org.springframework/spring-web@6.0.23
purl pkg:maven/org.springframework/spring-web@6.0.23
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-jeeg-btw1-5yaq
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-web@6.0.23
1
url pkg:maven/org.springframework/spring-web@6.1.12
purl pkg:maven/org.springframework/spring-web@6.1.12
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-web@6.1.12
aliases CVE-2024-38809, GHSA-2rmj-mq67-h97g
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-7mrx-1x83-uugp
2
url VCID-jeeg-btw1-5yaq
vulnerability_id VCID-jeeg-btw1-5yaq
summary 
Spring Framework vulnerable to a reflected file download (RFD)
In Spring Framework, versions 6.0.x as of 6.0.5, versions 6.1.x and 6.2.x, an application is vulnerable to a reflected file download (RFD) attack when it sets a “Content-Disposition” header with a non-ASCII charset, where the filename attribute is derived from user-supplied input.

Specifically, an application is vulnerable when all the following are true:

-  The header is prepared with `org.springframework.http.ContentDisposition`.
-  The filename is set via `ContentDisposition.Builder#filename(String, Charset)`.
-  The value for the filename is derived from user-supplied input.
-  The application does not sanitize the user-supplied input.
-  The downloaded content of the response is injected with malicious commands by the attacker (see RFD paper reference for details).


An application is not vulnerable if any of the following is true:

-  The application does not set a “Content-Disposition” response header.
-  The header is not prepared with `org.springframework.http.ContentDisposition`.
-  The filename is set via one of:
- `ContentDisposition.Builder#filename(String)`, or
- `ContentDisposition.Builder#filename(String, ASCII)`
-  The filename is not derived from user-supplied input.
-  The filename is derived from user-supplied input but sanitized by the application.
-  The attacker cannot inject malicious content in the downloaded content of the response.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-41234.json
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-41234.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-41234
reference_id
reference_type
scores
0
value 0.00294
scoring_system epss
scoring_elements 0.53031
published_at 2026-06-05T12:55:00Z
1
value 0.00294
scoring_system epss
scoring_elements 0.52993
published_at 2026-06-08T12:55:00Z
2
value 0.00294
scoring_system epss
scoring_elements 0.53018
published_at 2026-06-09T12:55:00Z
3
value 0.00294
scoring_system epss
scoring_elements 0.53038
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-41234
2
reference_url https://github.com/spring-projects/spring-framework
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/spring-projects/spring-framework
3
reference_url https://github.com/spring-projects/spring-framework/commit/f0e7b42704e6b33958f242d91bd690d6ef7ada9c
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/spring-projects/spring-framework/commit/f0e7b42704e6b33958f242d91bd690d6ef7ada9c
4
reference_url https://github.com/spring-projects/spring-framework/issues/35034
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/spring-projects/spring-framework/issues/35034
5
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2372578
reference_id 2372578
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2372578
6
reference_url https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N&version=3.1
reference_id A:N&version=3.1
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-13T14:03:20Z/
url https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N&version=3.1
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-41234
reference_id CVE-2025-41234
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-13T14:03:20Z/
url https://nvd.nist.gov/vuln/detail/CVE-2025-41234
8
reference_url https://spring.io/security/cve-2025-41234
reference_id CVE-2025-41234
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-13T14:03:20Z/
url https://spring.io/security/cve-2025-41234
9
reference_url https://github.com/advisories/GHSA-6r3c-xf4w-jxjm
reference_id GHSA-6r3c-xf4w-jxjm
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-6r3c-xf4w-jxjm
fixed_packages
0
url pkg:maven/org.springframework/spring-web@6.1.21
purl pkg:maven/org.springframework/spring-web@6.1.21
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-web@6.1.21
1
url pkg:maven/org.springframework/spring-web@6.2.8
purl pkg:maven/org.springframework/spring-web@6.2.8
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-web@6.2.8
aliases CVE-2025-41234, GHSA-6r3c-xf4w-jxjm
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-jeeg-btw1-5yaq
Fixing_vulnerabilities
Risk_score4.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:maven/org.springframework/spring-web@6.0.5