Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:deb/debian/libspring-java@4.3.5-1
purl pkg:deb/debian/libspring-java@4.3.5-1
Next non-vulnerable version 4.3.30-1
Latest non-vulnerable version 4.3.30-1
Risk
Vulnerabilities affecting this package (8)
Vulnerability Summary Fixed by
VCID-2327-21sr-mfgx
Aliases:
CVE-2018-1272
GHSA-4487-x383-qpph
Improper Privilege Management When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.
4.3.22-4
Affected by 1 other vulnerability.
VCID-dakn-kfyh-syab
Aliases:
CVE-2018-15756
GHSA-ffvq-7w96-97p7
Uncontrolled Resource Consumption Spring Framework provides support for range requests when serving static resources through the `ResourceHttpRequestHandler`. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, for a denial of service attack.
4.3.22-4
Affected by 1 other vulnerability.
VCID-esxu-3a7m-q7a7
Aliases:
CVE-2018-11039
GHSA-9gcm-f4x3-8jpw
False positive This advisory has been marked as a False Positive and has been removed.
4.3.22-4
Affected by 1 other vulnerability.
VCID-fbxq-3v82-yket
Aliases:
CVE-2018-1257
GHSA-rcpf-vj53-7h2m
Improper Input Validation Spring Framework allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack.
4.3.22-4
Affected by 1 other vulnerability.
VCID-fra1-reqm-kfdb
Aliases:
CVE-2020-5421
GHSA-rv39-3qh7-9v7w
Remote file disclosure In Spring Framework the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
4.3.30-1
Affected by 0 other vulnerabilities.
VCID-h4kj-zdr8-wbdr
Aliases:
CVE-2018-1199
GHSA-v596-fwhq-8x48
Improper Input Validation Spring Security does not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for `getPathInfo()` and some do not. Spring Security uses the value returned by `getPathInfo()` as part of the process of mapping requests to security constraints. In this particular attack, different character encodings used in path parameters allows secured Spring MVC static resource URLs to be bypassed.
4.3.22-4
Affected by 1 other vulnerability.
VCID-haqr-jpvm-eqck
Aliases:
CVE-2018-1270
GHSA-p5hg-3xm3-gcjg
Improper Control of Generation of Code ('Code Injection') Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.
4.3.22-4
Affected by 1 other vulnerability.
VCID-m6g1-a6e3-bqbj
Aliases:
CVE-2018-11040
GHSA-f26x-pr96-vw86
Inclusion of Functionality from Untrusted Control Sphere Spring Framework allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through `AbstractJsonpResponseBodyAdvice` for REST controllers and `MappingJackson2JsonView` for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when `MappingJackson2JsonView` is configured in an application, JSONP support is automatically ready to use through the `jsonp` and `callback` JSONP parameters, enabling cross-domain requests.
4.3.22-4
Affected by 1 other vulnerability.
Vulnerabilities fixed by this package (7)
Vulnerability Summary Aliases
VCID-2ke4-ywbk-2qha Improper Input Validation Under some situations, the Spring Framework is vulnerable to a Reflected File Download (RFD) attack. The attack involves a malicious user crafting a URL with a batch script extension that results in the response being downloaded rather than rendered and also includes some input reflected in the response. CVE-2015-5211
GHSA-pgf9-h69p-pcgf
VCID-46dm-5t83-tyh6 Spring Security / MVC Path Matching Inconsistency This package rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring Framework provides richer features with regards to pattern matching as well as by the fact that pattern matching in each Spring Security and the Spring Framework can easily be customized creating additional differences. CVE-2016-5007
GHSA-8crv-49fr-2h6j
VCID-kcma-n11h-q7ft Deserialization of Untrusted Data Pivotal Spring Framework suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. CVE-2016-1000027
GHSA-4wrc-f8pq-fpqp
VCID-kvhz-7nfu-2kdx Directory traversal flaw Directory traversal vulnerability in this package allows remote attackers to read arbitrary files via a crafted URL. CVE-2014-3578
GHSA-rhcg-rwhx-qj3j
VCID-ncq1-u2qu-77ec DoS Attack with XML Input This package do not properly process inline DTD declarations when DTD is not entirely disabled, which allows remote attackers to cause a denial of service (memory consumption and out-of-memory errors) via a crafted XML file. CVE-2015-3192
GHSA-6v7w-535j-rq5m
VCID-tj95-xfgu-pya7 Directory traversal flaw Directory traversal vulnerability in this package allows remote attackers to read arbitrary files via unspecified vectors, related to static resource handling. CVE-2014-3625
GHSA-hhm4-hwq6-3c6w
VCID-vgyx-gshk-tbcx Path Traversal Paths provided to the `ResourceServlet` were not properly sanitized and as a result exposed to directory traversal attacks. CVE-2016-9878
GHSA-2m8h-fgr8-2q9w

Date Actor Action Vulnerability Source VulnerableCode Version
2026-06-06T03:36:01.150120+00:00 Debian Oval Importer Fixing VCID-kvhz-7nfu-2kdx https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 38.6.0
2026-06-06T03:29:42.023550+00:00 Debian Oval Importer Fixing VCID-vgyx-gshk-tbcx https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 38.6.0
2026-06-06T02:52:10.279001+00:00 Debian Oval Importer Fixing VCID-tj95-xfgu-pya7 https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 38.6.0
2026-06-06T02:48:58.266512+00:00 Debian Oval Importer Affected by VCID-haqr-jpvm-eqck https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 38.6.0
2026-06-06T02:39:11.595784+00:00 Debian Oval Importer Affected by VCID-fbxq-3v82-yket https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 38.6.0
2026-06-06T02:25:26.237672+00:00 Debian Oval Importer Fixing VCID-kcma-n11h-q7ft https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 38.6.0
2026-06-06T02:23:07.041421+00:00 Debian Oval Importer Affected by VCID-h4kj-zdr8-wbdr https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 38.6.0
2026-06-06T01:47:16.204105+00:00 Debian Oval Importer Fixing VCID-ncq1-u2qu-77ec https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 38.6.0
2026-06-06T01:25:08.840861+00:00 Debian Oval Importer Affected by VCID-m6g1-a6e3-bqbj https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 38.6.0
2026-06-06T01:11:32.285767+00:00 Debian Oval Importer Fixing VCID-2ke4-ywbk-2qha https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 38.6.0
2026-06-06T00:52:41.081293+00:00 Debian Oval Importer Affected by VCID-esxu-3a7m-q7a7 https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 38.6.0
2026-06-06T00:50:18.761898+00:00 Debian Oval Importer Affected by VCID-fra1-reqm-kfdb https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 38.6.0
2026-06-06T00:32:39.408714+00:00 Debian Oval Importer Affected by VCID-2327-21sr-mfgx https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 38.6.0
2026-06-06T00:18:27.404973+00:00 Debian Oval Importer Fixing VCID-46dm-5t83-tyh6 https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 38.6.0
2026-06-05T23:58:22.345279+00:00 Debian Oval Importer Affected by VCID-dakn-kfyh-syab https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 38.6.0