Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up
na/

Spring Framework

7 Versions 7 CVEs

Versions

Spring Framework (versions 6.0.0 to 6.0.6 and 5.3.0 to 5.3.25)

OTHER 1 CVE

Spring Framework versions 5.2.x prior to 5.2.15 and versions 5.3.x prior to 5.3.7

OTHER 1 CVE

Spring Framework versions 5.3.X prior to 5.3.17+ and all old and unsupported versions

OTHER 1 CVE

Spring Framework 5.3.0-5.3.13, 5.2.0-5.2.18, and older unsupported versions

OTHER 1 CVE

Spring Framework versions 5.3.0-5.3.18, 5.2.0-5.2.20, and older unsupported versions

OTHER 1 CVE

6.1.0-6.1.11, 6.0.0-6.0.22, 5.3.0-5.3.37

OTHER 1 CVE

Spring Framework 5.3.0-5.3.40, 6.0.0-6.0.24, 6.1.0-6.1.13

OTHER 1 CVE

Recent CVEs

CVE-2024-38819

Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running.

HIGH Dec 19, 2024

CVE-2024-38809

Applications that parse ETags from "If-Match" or "If-None-Match" request headers are vulnerable to DoS attack. Users of affected versions should upgrade to the corresponding fixed version. Users of older, unsupported versions could enforce a size limit on "If-Match" and "If-None-Match" headers, e.g. through a Filter.

MEDIUM Sep 27, 2024

CVE-2023-20860

Spring Framework running version 6.0.0 - 6.0.6 or 5.3.0 - 5.3.25 using "**" as a pattern in Spring Security configuration with the mvcRequestMatcher creates a mismatch in pattern matching between Spring Security and Spring MVC, and the potential for a security bypass.

UNKNOWN Mar 27, 2023

CVE-2022-22968

In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path.

UNKNOWN Apr 14, 2022

CVE-2022-22950

n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.

UNKNOWN Apr 01, 2022

CVE-2021-22060

In Spring Framework versions 5.3.0 - 5.3.13, 5.2.0 - 5.2.18, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries. This is a follow-up to CVE-2021-22096 that protects against additional types of input and in more places of the Spring Framework codebase.

UNKNOWN Jan 07, 2022

CVE-2021-22118

In Spring Framework, versions 5.2.x prior to 5.2.15 and versions 5.3.x prior to 5.3.7, a WebFlux application is vulnerable to a privilege escalation: by (re)creating the temporary storage directory, a locally authenticated malicious user can read or modify files that have been uploaded to the WebFlux application, or overwrite arbitrary files with multipart request data.

UNKNOWN May 27, 2021