Search for packages
| purl | pkg:maven/org.springframework.boot/spring-boot@2.5.10 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-5btf-rv13-jucn
Aliases: CVE-2026-40973 GHSA-wwpq-f5c3-7hvx |
A local attacker on the same host as the application may be able to take control of the directory used by `ApplicationTemp`. When `server.servlet.session.persistent` is set to `true` and the attack persists across application restarts, this may allow the attacker to read session information and hijack authenticated users or deploy a gadget chain and execute code as the application's user. Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); predictable temp directory / `ApplicationTemp` ownership verification. Versions that are no longer supported are also affected per vendor advisory. |
Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-amhw-mxxc-auev
Aliases: CVE-2025-22235 GHSA-rc42-6c7j-7h5r |
EndpointRequest.to() creates a matcher for null/** if the actuator endpoint, for which the EndpointRequest has been created, is disabled or not exposed. Your application may be affected by this if all the following conditions are met: * You use Spring Security * EndpointRequest.to() has been used in a Spring Security chain configuration * The endpoint which EndpointRequest references is disabled or not exposed via web * Your application handles requests to /null and this path needs protection You are not affected if any of the following is true: * You don't use Spring Security * You don't use EndpointRequest.to() * The endpoint which EndpointRequest.to() refers to is enabled and is exposed * Your application does not handle requests to /null or this path does not need protection |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-atys-z3yr-nyaf
Aliases: CVE-2023-34055 GHSA-jjfh-589g-3hjx |
Affected by 2 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 1 other vulnerability. |
|
|
VCID-n3z8-z3gf-zydq
Aliases: CVE-2022-22965 GHSA-36p3-wjmg-h94x GMS-2022-558 GMS-2022-559 GMS-2022-560 GMS-2022-561 |
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it. |
Affected by 3 other vulnerabilities. Affected by 3 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-06-12T22:14:22.360689+00:00 | GitLab Importer | Affected by | VCID-5btf-rv13-jucn | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework.boot/spring-boot/CVE-2026-40973.yml | 38.6.0 |
| 2026-06-12T20:00:23.591475+00:00 | GitLab Importer | Affected by | VCID-amhw-mxxc-auev | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework.boot/spring-boot/CVE-2025-22235.yml | 38.6.0 |
| 2026-06-12T19:12:05.928043+00:00 | GitLab Importer | Affected by | VCID-atys-z3yr-nyaf | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework.boot/spring-boot/CVE-2023-34055.yml | 38.6.0 |
| 2026-06-12T18:03:50.140956+00:00 | GitLab Importer | Affected by | VCID-n3z8-z3gf-zydq | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework.boot/spring-boot/CVE-2022-22965.yml | 38.6.0 |