Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:maven/org.springframework/spring-web@6.1.0
purl pkg:maven/org.springframework/spring-web@6.1.0
Next non-vulnerable version 6.1.12
Latest non-vulnerable version 6.2.8
Risk 4.0
Vulnerabilities affecting this package (5)
Vulnerability Summary Fixed by
VCID-1rv3-3z83-2yd1
Aliases:
CVE-2024-22262
GHSA-2wrp-6fg6-hmc5
Spring Framework URL Parsing with Host Validation Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html  attack or to a SSRF attack if the URL is used after passing validation checks. This is the same as CVE-2024-22259 https://spring.io/security/cve-2024-22259  and CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input.
6.1.6
Affected by 1 other vulnerability.
VCID-7mrx-1x83-uugp
Aliases:
CVE-2024-38809
GHSA-2rmj-mq67-h97g
Spring Framework DoS via conditional HTTP request Applications that parse ETags from `If-Match` or `If-None-Match` request headers are vulnerable to DoS attack.
6.1.12
Affected by 0 other vulnerabilities.
VCID-cgzk-jvtv-tqf3
Aliases:
CVE-2024-38820
GHSA-4gc7-5j7h-4qph
Spring Framework DataBinder Case Sensitive Match Exception The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase() has some Locale dependent exceptions that could potentially result in fields not protected as expected.
6.1.14
Affected by 0 other vulnerabilities.
VCID-e1rm-xg49-uqd6
Aliases:
CVE-2024-22243
GHSA-ccgv-vj62-xf9h
Spring Web vulnerable to Open Redirect or Server Side Request Forgery Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect attack or to a SSRF attack if the URL is used after passing validation checks.
6.1.4
Affected by 2 other vulnerabilities.
VCID-pnme-zmz2-2ubh
Aliases:
CVE-2024-22259
GHSA-hgjh-9rj2-g67j
Spring Framework URL Parsing with Host Validation Vulnerability Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html  attack or to a SSRF attack if the URL is used after passing validation checks. This is the same as CVE-2024-22243 https://spring.io/security/cve-2024-22243, but with different input.
6.1.5
Affected by 2 other vulnerabilities.
Vulnerabilities fixed by this package (0)
Vulnerability Summary Aliases
This package is not known to fix vulnerabilities.

Date Actor Action Vulnerability Source VulnerableCode Version
2026-06-05T21:50:18.672142+00:00 GHSA Importer Affected by VCID-cgzk-jvtv-tqf3 https://github.com/advisories/GHSA-4gc7-5j7h-4qph 38.6.0
2026-06-05T21:48:58.973508+00:00 GHSA Importer Affected by VCID-7mrx-1x83-uugp https://github.com/advisories/GHSA-2rmj-mq67-h97g 38.6.0
2026-06-05T21:41:52.332690+00:00 GHSA Importer Affected by VCID-1rv3-3z83-2yd1 https://github.com/advisories/GHSA-2wrp-6fg6-hmc5 38.6.0
2026-06-05T21:41:10.843206+00:00 GHSA Importer Affected by VCID-pnme-zmz2-2ubh https://github.com/advisories/GHSA-hgjh-9rj2-g67j 38.6.0
2026-06-05T21:40:38.670944+00:00 GHSA Importer Affected by VCID-e1rm-xg49-uqd6 https://github.com/advisories/GHSA-ccgv-vj62-xf9h 38.6.0
2026-06-04T16:22:18.941205+00:00 GitLab Importer Affected by VCID-7mrx-1x83-uugp https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework/spring-web/CVE-2024-38809.yml 38.6.0
2026-06-02T04:47:36.737502+00:00 GitLab Importer Affected by VCID-1rv3-3z83-2yd1 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework/spring-web/CVE-2024-22262.yml 38.6.0