spring-beans-5.0.7.RELEASE.jar: 3 vulnerabilities (highest severity is: 9.8) #78
Description
Vulnerable Library - spring-beans-5.0.7.RELEASE.jar
Spring Beans
Library home page: http://projects.spring.io/spring-framework
Path to vulnerable library: /target/owaspSecurityShepherd/WEB-INF/lib/spring-beans-5.0.7.RELEASE.jar
Found in HEAD commit: d036c7c5d23c484d9f8c12b1cc9fbbb1b20e6338
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Dependency | Type | Fixed in (spring-beans version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2022-22965 |  Critical |
9.8 | spring-beans-5.0.7.RELEASE.jar | Direct | 5.2.20.RELEASE | ❌ |
| CVE-2025-41242 |  Medium |
5.9 | spring-beans-5.0.7.RELEASE.jar | Direct | https://github.com/spring-projects/spring-framework.git - v6.2.10,org.springframework:spring-beans:6.2.10 | ❌ |
| CVE-2022-22970 | Medium |
5.3 | spring-beans-5.0.7.RELEASE.jar | Direct | 5.2.22.RELEASE | ❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2022-22965
Vulnerable Library - spring-beans-5.0.7.RELEASE.jar
Spring Beans
Library home page: http://projects.spring.io/spring-framework
Path to vulnerable library: /target/owaspSecurityShepherd/WEB-INF/lib/spring-beans-5.0.7.RELEASE.jar
Dependency Hierarchy:
- ❌ spring-beans-5.0.7.RELEASE.jar (Vulnerable Library)
Found in HEAD commit: d036c7c5d23c484d9f8c12b1cc9fbbb1b20e6338
Found in base branch: dev
Vulnerability Details
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
NOTE: The vulnerability originates in the artifact org.springframework:spring-beans. Other artifacts are also associated due to their relation to the CVE's exploitability. See GHSA-36p3-wjmg-h94x
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2022-04-01
URL: CVE-2022-22965
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
Release Date: 2022-04-01
Fix Resolution: 5.2.20.RELEASE
CVE-2025-41242
Vulnerable Library - spring-beans-5.0.7.RELEASE.jar
Spring Beans
Library home page: http://projects.spring.io/spring-framework
Path to vulnerable library: /target/owaspSecurityShepherd/WEB-INF/lib/spring-beans-5.0.7.RELEASE.jar
Dependency Hierarchy:
- ❌ spring-beans-5.0.7.RELEASE.jar (Vulnerable Library)
Found in HEAD commit: d036c7c5d23c484d9f8c12b1cc9fbbb1b20e6338
Found in base branch: dev
Vulnerability Details
Spring Framework MVC applications can be vulnerable to a “Path Traversal Vulnerability” when deployed on a non-compliant Servlet container.
An application can be vulnerable when all the following are true:
- the application is deployed as a WAR or with an embedded Servlet container
- the Servlet container does not reject suspicious sequences https://jakarta.ee/specifications/servlet/6.1/jakarta-servlet-spec-6.1.html#uri-path-canonicalization
- the application serves static resources https://docs.spring.io/spring-framework/reference/web/webmvc/mvc-config/static-resources.html#page-title with Spring resource handling
We have verified that applications deployed on Apache Tomcat or Eclipse Jetty are not vulnerable, as long as default security features are not disabled in the configuration. Because we cannot check exploits against all Servlet containers and configuration variants, we strongly recommend upgrading your application.
Publish Date: 2025-08-18
URL: CVE-2025-41242
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2025-08-18
Fix Resolution: https://github.com/spring-projects/spring-framework.git - v6.2.10,org.springframework:spring-beans:6.2.10
CVE-2022-22970
Vulnerable Library - spring-beans-5.0.7.RELEASE.jar
Spring Beans
Library home page: http://projects.spring.io/spring-framework
Path to vulnerable library: /target/owaspSecurityShepherd/WEB-INF/lib/spring-beans-5.0.7.RELEASE.jar
Dependency Hierarchy:
- ❌ spring-beans-5.0.7.RELEASE.jar (Vulnerable Library)
Found in HEAD commit: d036c7c5d23c484d9f8c12b1cc9fbbb1b20e6338
Found in base branch: dev
Vulnerability Details
In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.
Publish Date: 2022-05-12
URL: CVE-2022-22970
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://tanzu.vmware.com/security/cve-2022-22970
Release Date: 2022-05-12
Fix Resolution: 5.2.22.RELEASE