Skip to content

spring-boot-2.7.5.jar: 8 vulnerabilities (highest severity is: 9.8) [master] (reachable) #24

Open
Open
spring-boot-2.7.5.jar: 8 vulnerabilities (highest severity is: 9.8) [master] (reachable)#24
@mend-developer-platform-dev

Description

@mend-developer-platform-dev
mend-developer-platform-dev
bot
opened on Sep 28, 2025
📂 Vulnerable Library - spring-boot-2.7.5.jar

Spring Boot

Path to dependency file: /telegrambots-spring-boot-starter/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/boot/spring-boot/2.7.5/spring-boot-2.7.5.jar

Findings

Finding Severity 🎯 CVSS Exploit Maturity EPSS Library Type Fixed in Remediation Available Reachability
CVE-780011-81885 🟣 Critical 9.8 N/A N/A spring-expression-5.3.23.jar Transitive N/A
CVE-2018-1196 🔴 High 8.2 Not Defined < 1% spring-boot-2.7.5.jar Direct 1.5.10.RELEASE Reachable
CVE-2018-1271 🔴 High 8.2 Not Defined 91.2% spring-core-5.3.23.jar Transitive N/A Reachable
CVE-2018-1257 🔴 High 7.1 Not Defined 1.8% spring-core-5.3.23.jar Transitive N/A Reachable
CVE-2023-20861 🔴 High 7.1 Not Defined < 1% spring-expression-5.3.23.jar Transitive N/A Reachable
CVE-2023-20863 🔴 High 7.1 Not Defined < 1% spring-expression-5.3.23.jar Transitive N/A Reachable
CVE-2025-22235 🟠 Medium 5.5 Functional < 1% spring-boot-2.7.5.jar Direct org.springframework.boot:spring-boot-actuator-autoconfigure:3.4.5,org.springframework.boot:spring-boot:3.3.11,org.springframework.boot:spring-boot:3.4.5,org.springframework.boot:spring-boot-actuator-autoconfigure:3.3.11,https://github.com/spring-projects/spring-boot.git - v3.3.11,https://github.com/spring-projects/spring-boot.git - v3.4.5
CVE-2024-38820 🟡 Low 2.3 Not Defined < 1% spring-core-5.3.23.jar Transitive N/A

Details

🟣CVE-780011-81885

Vulnerable Library - spring-expression-5.3.23.jar

Spring Expression Language (SpEL)

Library home page: https://spring.io/projects/spring-framework

Path to dependency file: /telegrambots-spring-boot-starter/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.3.23/spring-expression-5.3.23.jar

Dependency Hierarchy:

  • spring-boot-2.7.5.jar (Root Library)
    • spring-context-5.3.23.jar
      • spring-expression-5.3.23.jar (Vulnerable Library)

Vulnerability Details

Created automatically by the test suite

Publish Date: Jun 07, 2010 05:12 PM

URL: CVE-780011-81885

Threat Assessment

Exploit Maturity:N/A

EPSS:N/A

Score: 9.8

Suggested Fix

Type: Upgrade version

Origin:

Release Date:

Fix Resolution :

🔴CVE-2018-1196

Vulnerable Library - spring-boot-2.7.5.jar

Spring Boot

Library home page: https://spring.io/projects/spring-boot

Path to dependency file: /telegrambots-spring-boot-starter/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/boot/spring-boot/2.7.5/spring-boot-2.7.5.jar

Dependency Hierarchy:

  • spring-boot-2.7.5.jar (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- org.telegram.telegrambots.starter.TelegramBotStarterConfiguration (Application)
    - org.springframework.context.annotation.Bean (Extension)
        - org.springframework.beans.factory.annotation.Autowire (Extension)
            - org.springframework.beans.factory.config.AutowireCapableBeanFactory (Extension)
                - org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory$AutowireByTypeDependencyDescriptor (Extension)
                    - org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory (Extension)
                        - org.springframework.beans.factory.annotation.QualifierAnnotationAutowireCandidateResolver (Extension)
                            - org.springframework.test.web.servlet.setup.StubWebApplicationContext$StubBeanFactory (Extension)
                                - org.springframework.test.context.testng.AbstractTransactionalTestNGSpringContextTests (Extension)
                                    - org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext (Extension)
                                        -> ❌ org.springframework.boot.availability.AvailabilityChangeEvent (Vulnerable Component)

Vulnerability Details

Spring Boot supports an embedded launch script that can be used to easily run the application as a systemd or init.d linux service. The script included with Spring Boot 1.5.9 and earlier and 2.0.0.M1 through 2.0.0.M7 is susceptible to a symlink attack which allows the "run_user" to overwrite and take ownership of any file on the same system. In order to instigate the attack, the application must be installed as a service and the "run_user" requires shell access to the server. Spring Boot application that are not installed as a service, or are not using the embedded launch script are not susceptible.

Publish Date: Mar 19, 2018 06:00 PM

URL: CVE-2018-1196

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 8.2

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1196

Release Date: Mar 19, 2018 06:00 PM

Fix Resolution : 1.5.10.RELEASE

🔴CVE-2018-1271

Vulnerable Library - spring-core-5.3.23.jar

Spring Core

Library home page: https://spring.io/projects/spring-framework

Path to dependency file: /telegrambots-spring-boot-starter/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-core/5.3.23/spring-core-5.3.23.jar

Dependency Hierarchy:

  • spring-boot-2.7.5.jar (Root Library)
    • spring-core-5.3.23.jar (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- org.telegram.telegrambots.starter.TelegramBotStarterConfiguration (Application)
    - org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean (Extension)
        - org.springframework.context.annotation.Conditional (Extension)
            - org.springframework.context.annotation.Condition (Extension)
                - org.springframework.context.annotation.ConditionContext (Extension)
                    - org.springframework.beans.factory.support.BeanDefinitionRegistry (Extension)
                        - org.springframework.beans.factory.config.BeanDefinition (Extension)
                            - org.springframework.core.ResolvableType (Extension)
                                - org.springframework.util.ConcurrentReferenceHashMap (Extension)
                                    -> ❌ org.springframework.util.ConcurrentReferenceHashMap$Task (Vulnerable Component)

Vulnerability Details

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.

Publish Date: Apr 06, 2018 01:00 PM

URL: CVE-2018-1271

Threat Assessment

Exploit Maturity:Not Defined

EPSS:91.2%

Score: 8.2

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1271

Release Date: Apr 06, 2018 01:00 PM

Fix Resolution : org.springframework:spring-webflux:5.0.5.RELEASE,org.springframework:spring-webmvc:4.3.15.RELEASE,5.0.5.RELEASE

🔴CVE-2018-1257

Vulnerable Library - spring-core-5.3.23.jar

Spring Core

Library home page: https://spring.io/projects/spring-framework

Path to dependency file: /telegrambots-spring-boot-starter/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-core/5.3.23/spring-core-5.3.23.jar

Dependency Hierarchy:

  • spring-boot-2.7.5.jar (Root Library)
    • spring-core-5.3.23.jar (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- org.telegram.telegrambots.starter.TelegramBotStarterConfiguration (Application)
    - org.springframework.boot.autoconfigure.condition.ConditionalOnProperty (Extension)
        - org.springframework.boot.autoconfigure.condition.OnPropertyCondition (Extension)
            - org.springframework.boot.autoconfigure.condition.SpringBootCondition (Extension)
                - org.springframework.beans.factory.config.ConfigurableListableBeanFactory (Extension)
                    - org.springframework.beans.factory.support.DefaultListableBeanFactory$DependencyObjectProvider (Extension)
                        - org.springframework.beans.factory.xml.XmlBeanFactory (Extension)
                            - org.springframework.beans.factory.xml.XmlBeanDefinitionReader (Extension)
                                - org.springframework.beans.factory.support.AbstractBeanDefinitionReader (Extension)
                                    - org.springframework.core.io.support.PathMatchingResourcePatternResolver (Extension)
                                        - org.springframework.util.AntPathMatcher (Extension)
                                            -> ❌ org.springframework.util.AntPathMatcher$PathSeparatorPatternCache (Vulnerable Component)

Vulnerability Details

Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack.

Publish Date: May 11, 2018 08:00 PM

URL: CVE-2018-1257

Threat Assessment

Exploit Maturity:Not Defined

EPSS:1.8%

Score: 7.1

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-1257

Release Date: May 11, 2018 08:00 PM

Fix Resolution : 5.0.6,4.3.17

🔴CVE-2023-20861

Vulnerable Library - spring-expression-5.3.23.jar

Spring Expression Language (SpEL)

Library home page: https://spring.io/projects/spring-framework

Path to dependency file: /telegrambots-spring-boot-starter/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.3.23/spring-expression-5.3.23.jar

Dependency Hierarchy:

  • spring-boot-2.7.5.jar (Root Library)
    • spring-context-5.3.23.jar
      • spring-expression-5.3.23.jar (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- org.telegram.telegrambots.starter.TelegramBotStarterConfiguration (Application)
    - org.springframework.context.annotation.Bean (Extension)
        - org.springframework.beans.factory.annotation.Autowire (Extension)
            - org.springframework.beans.factory.config.AutowireCapableBeanFactory (Extension)
                - org.springframework.beans.factory.support.DefaultListableBeanFactory$BeanObjectProvider (Extension)
                    - org.springframework.beans.factory.support.DefaultListableBeanFactory (Extension)
                        - org.springframework.beans.factory.annotation.QualifierAnnotationAutowireCandidateResolver (Extension)
                            - org.springframework.context.annotation.ConfigurationClassBeanDefinitionReader$ConfigurationClassBeanDefinition (Extension)
                                - org.springframework.context.annotation.ConfigurationClassBeanDefinitionReader (Extension)
                                    - org.springframework.context.annotation.AnnotationConfigUtils (Extension)
                                        - org.springframework.context.support.GenericGroovyApplicationContext (Extension)
                                            - org.springframework.context.support.AbstractApplicationContext (Extension)
                                                - org.springframework.context.expression.StandardBeanExpressionResolver (Extension)
                                                    - org.springframework.expression.spel.standard.SpelExpressionParser (Extension)
                                                        - org.springframework.expression.spel.standard.InternalSpelExpressionParser (Extension)
                                                            -> ❌ org.springframework.expression.spel.ast.OperatorMatches (Vulnerable Component)

Vulnerability Details

In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.

Publish Date: Mar 23, 2023 12:00 AM

URL: CVE-2023-20861

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 7.1

Suggested Fix

Type: Upgrade version

Origin: GHSA-564r-hj7v-mcr5

Release Date: Mar 23, 2023 12:00 AM

Fix Resolution : org.springframework:spring-expression:5.2.23.RELEASE,org.springframework:spring-expression:6.0.7,org.springframework:spring-expression:5.3.26

🔴CVE-2023-20863

Vulnerable Library - spring-expression-5.3.23.jar

Spring Expression Language (SpEL)

Library home page: https://spring.io/projects/spring-framework

Path to dependency file: /telegrambots-spring-boot-starter/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.3.23/spring-expression-5.3.23.jar

Dependency Hierarchy:

  • spring-boot-2.7.5.jar (Root Library)
    • spring-context-5.3.23.jar
      • spring-expression-5.3.23.jar (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- org.telegram.telegrambots.starter.TelegramBotStarterConfiguration (Application)
    - org.springframework.context.annotation.Bean (Extension)
        - org.springframework.beans.factory.annotation.Autowire (Extension)
            - org.springframework.beans.factory.config.AutowireCapableBeanFactory (Extension)
                - org.springframework.beans.factory.support.BeanDefinitionOverrideException (Extension)
                    - org.springframework.beans.factory.config.BeanDefinition (Extension)
                        - org.springframework.beans.factory.xml.XmlBeanFactory (Extension)
                            - org.springframework.beans.factory.annotation.QualifierAnnotationAutowireCandidateResolver (Extension)
                                - org.springframework.context.support.GenericApplicationContext$ClassDerivedBeanDefinition (Extension)
                                    - org.springframework.context.support.GenericApplicationContext (Extension)
                                        - org.springframework.context.event.EventListenerMethodProcessor (Extension)
                                            - org.springframework.context.event.EventExpressionEvaluator (Extension)
                                                - org.springframework.expression.spel.standard.SpelExpressionParser (Extension)
                                                    - org.springframework.expression.spel.SpelParseException (Extension)
                                                        -> ❌ org.springframework.expression.spel.SpelMessage (Vulnerable Component)

Vulnerability Details

In spring framework versions prior to 5.2.24 release+ ,5.3.27+ and 6.0.8+ , it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.

Publish Date: Apr 13, 2023 12:00 AM

URL: CVE-2023-20863

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 7.1

Suggested Fix

Type: Upgrade version

Origin: GHSA-wxqc-pxw9-g2p8

Release Date: Apr 13, 2023 12:00 AM

Fix Resolution : org.springframework:spring-expression:5.3.27,org.springframework:spring-expression:5.2.24.RELEASE,org.springframework:spring-expression:6.0.8

🟠CVE-2025-22235

Vulnerable Library - spring-boot-2.7.5.jar

Spring Boot

Library home page: https://spring.io/projects/spring-boot

Path to dependency file: /telegrambots-spring-boot-starter/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/boot/spring-boot/2.7.5/spring-boot-2.7.5.jar

Dependency Hierarchy:

  • spring-boot-2.7.5.jar (Vulnerable Library)

Vulnerability Details

In Spring Boot, the EndpointRequest.to() creates a matcher for null/** if the actuator endpoint, for which the EndpointRequest has been created, is disabled or not exposed.

Publish Date: Apr 28, 2025 07:10 AM

URL: CVE-2025-22235

Threat Assessment

Exploit Maturity:Functional

EPSS:< 1%

Score: 5.5

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2025-22235

Release Date: Apr 24, 2025 09:00 PM

Fix Resolution : org.springframework.boot:spring-boot-actuator-autoconfigure:3.4.5,org.springframework.boot:spring-boot:3.3.11,org.springframework.boot:spring-boot:3.4.5,org.springframework.boot:spring-boot-actuator-autoconfigure:3.3.11,https://github.com/spring-projects/spring-boot.git - v3.3.11,https://github.com/spring-projects/spring-boot.git - v3.4.5

🟡CVE-2024-38820

Vulnerable Library - spring-core-5.3.23.jar

Spring Core

Library home page: https://spring.io/projects/spring-framework

Path to dependency file: /telegrambots-spring-boot-starter/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-core/5.3.23/spring-core-5.3.23.jar

Dependency Hierarchy:

  • spring-boot-2.7.5.jar (Root Library)
    • spring-core-5.3.23.jar (Vulnerable Library)

Vulnerability Details

The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase() has some Locale dependent exceptions that could potentially result in fields not protected as expected.

Publish Date: Oct 18, 2024 05:39 AM

URL: CVE-2024-38820

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 2.3

Suggested Fix

Type: Upgrade version

Origin: GHSA-4gc7-5j7h-4qph

Release Date: Oct 18, 2024 05:39 AM

Fix Resolution : org.springframework:spring-context:6.1.14

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions