VulnerableCode Package Details - pkg:maven/org.springframework/spring-web@6.0.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-1rv3-3z83-2yd1 Aliases: CVE-2024-22262 GHSA-2wrp-6fg6-hmc5	Spring Framework URL Parsing with Host Validation Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks. This is the same as CVE-2024-22259 https://spring.io/security/cve-2024-22259 and CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input.	6.0.19 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 6.1.6 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-7mrx-1x83-uugp Aliases: CVE-2024-38809 GHSA-2rmj-mq67-h97g	Spring Framework DoS via conditional HTTP request Applications that parse ETags from `If-Match` or `If-None-Match` request headers are vulnerable to DoS attack.	6.0.23 Affected by 0 other vulnerabilities. 6.1.12 Affected by 0 other vulnerabilities.
VCID-cgzk-jvtv-tqf3 Aliases: CVE-2024-38820 GHSA-4gc7-5j7h-4qph	Spring Framework DataBinder Case Sensitive Match Exception The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase() has some Locale dependent exceptions that could potentially result in fields not protected as expected.	6.1.14 Affected by 0 other vulnerabilities.
VCID-e1rm-xg49-uqd6 Aliases: CVE-2024-22243 GHSA-ccgv-vj62-xf9h	Spring Web vulnerable to Open Redirect or Server Side Request Forgery Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect attack or to a SSRF attack if the URL is used after passing validation checks.	6.0.17 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 6.1.4 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-pnme-zmz2-2ubh Aliases: CVE-2024-22259 GHSA-hgjh-9rj2-g67j	Spring Framework URL Parsing with Host Validation Vulnerability Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks. This is the same as CVE-2024-22243 https://spring.io/security/cve-2024-22243, but with different input.	6.0.18 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 6.1.5 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-1rv3-3z83-2yd1
Aliases:
CVE-2024-22262
GHSA-2wrp-6fg6-hmc5

Spring Framework URL Parsing with Host Validation Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks. This is the same as CVE-2024-22259 https://spring.io/security/cve-2024-22259 and CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input.

6.0.19
Affected by 1 other vulnerability.

6.1.6
Affected by 1 other vulnerability.

VCID-7mrx-1x83-uugp
Aliases:
CVE-2024-38809
GHSA-2rmj-mq67-h97g

Spring Framework DoS via conditional HTTP request Applications that parse ETags from `If-Match` or `If-None-Match` request headers are vulnerable to DoS attack.

6.0.23
Affected by 0 other vulnerabilities.

6.1.12
Affected by 0 other vulnerabilities.

VCID-cgzk-jvtv-tqf3
Aliases:
CVE-2024-38820
GHSA-4gc7-5j7h-4qph

Spring Framework DataBinder Case Sensitive Match Exception The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase() has some Locale dependent exceptions that could potentially result in fields not protected as expected.

6.1.14
Affected by 0 other vulnerabilities.

VCID-e1rm-xg49-uqd6
Aliases:
CVE-2024-22243
GHSA-ccgv-vj62-xf9h

Spring Web vulnerable to Open Redirect or Server Side Request Forgery Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect attack or to a SSRF attack if the URL is used after passing validation checks.

6.0.17
Affected by 2 other vulnerabilities.

6.1.4
Affected by 2 other vulnerabilities.

VCID-pnme-zmz2-2ubh
Aliases:
CVE-2024-22259
GHSA-hgjh-9rj2-g67j

Spring Framework URL Parsing with Host Validation Vulnerability Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks. This is the same as CVE-2024-22243 https://spring.io/security/cve-2024-22243, but with different input.

6.0.18
Affected by 2 other vulnerabilities.

6.1.5
Affected by 2 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-kcma-n11h-q7ft	Deserialization of Untrusted Data Pivotal Spring Framework suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required.	CVE-2016-1000027 GHSA-4wrc-f8pq-fpqp

Vulnerability

Summary

Aliases

VCID-kcma-n11h-q7ft

Deserialization of Untrusted Data Pivotal Spring Framework suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required.

CVE-2016-1000027
GHSA-4wrc-f8pq-fpqp

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-05T21:50:19.337069+00:00	GHSA Importer	Affected by	VCID-cgzk-jvtv-tqf3	https://github.com/advisories/GHSA-4gc7-5j7h-4qph	38.6.0
2026-06-05T21:48:58.727013+00:00	GHSA Importer	Affected by	VCID-7mrx-1x83-uugp	https://github.com/advisories/GHSA-2rmj-mq67-h97g	38.6.0
2026-06-05T21:41:52.409231+00:00	GHSA Importer	Affected by	VCID-1rv3-3z83-2yd1	https://github.com/advisories/GHSA-2wrp-6fg6-hmc5	38.6.0
2026-06-05T21:41:10.764258+00:00	GHSA Importer	Affected by	VCID-pnme-zmz2-2ubh	https://github.com/advisories/GHSA-hgjh-9rj2-g67j	38.6.0
2026-06-05T21:40:38.591014+00:00	GHSA Importer	Affected by	VCID-e1rm-xg49-uqd6	https://github.com/advisories/GHSA-ccgv-vj62-xf9h	38.6.0
2026-06-05T17:11:00.933677+00:00	GitLab Importer	Fixing	VCID-kcma-n11h-q7ft	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework/spring-web/CVE-2016-1000027.yml	38.6.0
2026-06-04T17:56:39.313013+00:00	GithubOSV Importer	Fixing	VCID-kcma-n11h-q7ft	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-4wrc-f8pq-fpqp/GHSA-4wrc-f8pq-fpqp.json	38.6.0
2026-06-04T16:22:18.939448+00:00	GitLab Importer	Affected by	VCID-7mrx-1x83-uugp	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework/spring-web/CVE-2024-38809.yml	38.6.0
2026-06-02T04:47:36.732554+00:00	GitLab Importer	Affected by	VCID-1rv3-3z83-2yd1	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework/spring-web/CVE-2024-22262.yml	38.6.0