Skip to content

spring-web-4.2.0.RELEASE.jar: 20 vulnerabilities (highest severity is: 9.3) [vp-rem] (reachable) #271

Open
Open
spring-web-4.2.0.RELEASE.jar: 20 vulnerabilities (highest severity is: 9.3) [vp-rem] (reachable)#271
@mend-developer-platform-dev

Description

@mend-developer-platform-dev
mend-developer-platform-dev
bot
opened on Sep 28, 2025
📂 Vulnerable Library - spring-web-4.2.0.RELEASE.jar

Spring Web

Library home page: http://projects.spring.io/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/4.2.0.RELEASE/spring-web-4.2.0.RELEASE.jar

Findings

Finding Severity 🎯 CVSS Exploit Maturity EPSS Library Type Fixed in Remediation Available Reachability
CVE-2015-5211 🟣 Critical 9.3 Not Defined 1.9% spring-web-4.2.0.RELEASE.jar Direct org.springframework:spring-web:4.2.2.RELEASE,4.1.8.RELEASE,3.2.15.RELEASE,org.springframework:spring-webmvc:4.2.2.RELEASE,4.1.8.RELEASE,3.2.15.RELEASE,org.springframework:spring-websocket:4.2.2.RELEASE,4.1.8.RELEASE,3.2.15.RELEASE Reachable
CVE-2016-1000027 🟣 Critical 9.3 Not Defined 59.2% spring-web-4.2.0.RELEASE.jar Direct org.springframework:spring-web:6.0.0 Reachable
CVE-2020-5421 🟣 Critical 9.3 Not Defined 63.800003% spring-web-4.2.0.RELEASE.jar Direct org.springframework:spring-web:4.3.29,5.0.19,5.1.18,5.2.9 Reachable
CVE-2022-22965 🟣 Critical 9.3 High 94.4% spring-beans-4.2.0.RELEASE.jar Transitive N/A Reachable
CVE-2018-15756 🔴 High 8.7 Not Defined 5.5% spring-web-4.2.0.RELEASE.jar Direct org.springframework:spring-core:5.0.10.RELEASE,org.springframework:spring-core:5.1.1.RELEASE,org.springframework:spring-core:4.3.20.RELEASE Reachable
CVE-2018-15756 🔴 High 8.7 Not Defined 5.5% spring-core-4.2.0.RELEASE.jar Transitive N/A Reachable
CVE-2018-1271 🔴 High 8.2 Not Defined 91.2% spring-core-4.2.0.RELEASE.jar Transitive N/A
CVE-2018-1272 🔴 High 7.7 Not Defined 1.2% spring-core-4.2.0.RELEASE.jar Transitive N/A Reachable
CVE-2018-1257 🔴 High 7.1 Not Defined 1.8% spring-core-4.2.0.RELEASE.jar Transitive N/A
CVE-2022-22950 🔴 High 7.1 Not Defined 4.1% spring-expression-4.2.0.RELEASE.jar Transitive N/A Reachable
CVE-2023-20861 🔴 High 7.1 Not Defined < 1% spring-expression-4.2.0.RELEASE.jar Transitive N/A Reachable
CVE-2023-20863 🔴 High 7.1 Not Defined < 1% spring-expression-4.2.0.RELEASE.jar Transitive N/A Reachable
CVE-2022-22968 🟠 Medium 6.9 Not Defined 16.2% spring-context-4.2.0.RELEASE.jar Transitive N/A Reachable
CVE-2022-22970 🟠 Medium 6.0 Not Defined < 1% spring-core-4.2.0.RELEASE.jar Transitive N/A Reachable
CVE-2022-22970 🟠 Medium 6.0 Not Defined < 1% spring-beans-4.2.0.RELEASE.jar Transitive N/A Reachable
CVE-2021-22060 🟠 Medium 5.3 Not Defined < 1% spring-core-4.2.0.RELEASE.jar Transitive N/A Reachable
CVE-2021-22096 🟠 Medium 5.3 Not Defined < 1% spring-web-4.2.0.RELEASE.jar Direct N/A Reachable
CVE-2021-22096 🟠 Medium 5.3 Not Defined < 1% spring-core-4.2.0.RELEASE.jar Transitive N/A Reachable
WS-2016-7112 🟠 Medium 4.9 N/A N/A spring-context-4.2.0.RELEASE.jar Transitive N/A Reachable
CVE-2024-38820 🟡 Low 2.3 Not Defined < 1% spring-web-4.2.0.RELEASE.jar Direct org.springframework:spring-context:6.1.14

Details

🟣CVE-2015-5211

Vulnerable Library - spring-web-4.2.0.RELEASE.jar

Spring Web

Library home page: http://projects.spring.io/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/4.2.0.RELEASE/spring-web-4.2.0.RELEASE.jar

Dependency Hierarchy:

  • spring-web-4.2.0.RELEASE.jar (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- com.visualpathit.account.service.UserDetailsServiceImpl (Application)
    - org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter$UserDetailsServiceDelegator (Extension)
        - org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder (Extension)
            - org.springframework.security.config.annotation.AbstractConfiguredSecurityBuilder$BuildState (Extension)
                - org.springframework.security.config.annotation.web.builders.WebSecurity (Extension)
                    - org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration$1 (Extension)
                        -> ❌ org.springframework.web.accept.PathExtensionContentNegotiationStrategy (Vulnerable Component)

Vulnerability Details

Under some situations, the Spring Framework 4.2.0 to 4.2.1, 4.0.0 to 4.1.7, 3.2.0 to 3.2.14 and older unsupported versions is vulnerable to a Reflected File Download (RFD) attack. The attack involves a malicious user crafting a URL with a batch script extension that results in the response being downloaded rather than rendered and also includes some input reflected in the response.

Publish Date: May 25, 2017 05:00 PM

URL: CVE-2015-5211

Threat Assessment

Exploit Maturity:Not Defined

EPSS:1.9%

Score: 9.3

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5211

Release Date: May 25, 2017 05:00 PM

Fix Resolution : org.springframework:spring-web:4.2.2.RELEASE,4.1.8.RELEASE,3.2.15.RELEASE,org.springframework:spring-webmvc:4.2.2.RELEASE,4.1.8.RELEASE,3.2.15.RELEASE,org.springframework:spring-websocket:4.2.2.RELEASE,4.1.8.RELEASE,3.2.15.RELEASE

🟣CVE-2016-1000027

Vulnerable Library - spring-web-4.2.0.RELEASE.jar

Spring Web

Library home page: http://projects.spring.io/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/4.2.0.RELEASE/spring-web-4.2.0.RELEASE.jar

Dependency Hierarchy:

  • spring-web-4.2.0.RELEASE.jar (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- com.visualpathit.account.validator.UserValidator (Application)
    - org.springframework.web.servlet.config.annotation.WebMvcConfigurationSupport$NoOpValidator (Extension)
        - org.springframework.web.servlet.config.annotation.WebMvcConfigurationSupport (Extension)
            - org.springframework.http.converter.ByteArrayHttpMessageConverter (Extension)
                - org.springframework.web.client.AsyncRestTemplate$AsyncRequestCallbackAdapter$1 (Extension)
                    - org.springframework.web.client.AsyncRestTemplate (Extension)
                        -> ❌ org.springframework.http.converter.ObjectToStringHttpMessageConverter (Vulnerable Component)

Vulnerability Details

Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data. After conducting further research, Mend has determined that all versions of spring-web up to version 6.0.0 are vulnerable to CVE-2016-1000027.

Publish Date: Jan 02, 2020 12:00 AM

URL: CVE-2016-1000027

Threat Assessment

Exploit Maturity:Not Defined

EPSS:59.2%

Score: 9.3

Suggested Fix

Type: Upgrade version

Origin: GHSA-4wrc-f8pq-fpqp

Release Date: Jan 02, 2020 12:00 AM

Fix Resolution : org.springframework:spring-web:6.0.0

🟣CVE-2020-5421

Vulnerable Library - spring-web-4.2.0.RELEASE.jar

Spring Web

Library home page: http://projects.spring.io/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/4.2.0.RELEASE/spring-web-4.2.0.RELEASE.jar

Dependency Hierarchy:

  • spring-web-4.2.0.RELEASE.jar (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- com.visualpathit.account.validator.UserValidator (Application)
    - org.springframework.web.bind.EscapedErrors (Extension)
        - org.springframework.web.util.HtmlUtils (Extension)
            -> ❌ org.springframework.web.util.WebUtils (Vulnerable Component)

Vulnerability Details

In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.

Publish Date: Sep 19, 2020 03:45 AM

URL: CVE-2020-5421

Threat Assessment

Exploit Maturity:Not Defined

EPSS:63.800003%

Score: 9.3

Suggested Fix

Type: Upgrade version

Origin: https://tanzu.vmware.com/security/cve-2020-5421

Release Date: Sep 19, 2020 03:45 AM

Fix Resolution : org.springframework:spring-web:4.3.29,5.0.19,5.1.18,5.2.9

🟣CVE-2022-22965

Vulnerable Library - spring-beans-4.2.0.RELEASE.jar

Spring Beans

Library home page: http://projects.spring.io/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-beans/4.2.0.RELEASE/spring-beans-4.2.0.RELEASE.jar

Dependency Hierarchy:

  • spring-web-4.2.0.RELEASE.jar (Root Library)
    • spring-aop-4.2.0.RELEASE.jar
      • spring-beans-4.2.0.RELEASE.jar (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- com.visualpathit.account.controller.UserController (Application)
    - org.springframework.validation.AbstractBindingResult (Extension)
        - org.springframework.validation.DataBinder (Extension)
            - org.springframework.beans.PropertyAccessorUtils (Extension)
                - org.springframework.beans.BeanWrapperImpl (Extension)
                    -> ❌ org.springframework.beans.CachedIntrospectionResults (Vulnerable Component)

Vulnerability Details

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it. Converted from WS-2022-0107, on 2022-11-07.

Publish Date: Apr 01, 2022 10:17 PM

URL: CVE-2022-22965

Threat Assessment

Exploit Maturity:High

EPSS:94.4%

Score: 9.3

Suggested Fix

Type: Upgrade version

Origin: GHSA-36p3-wjmg-h94x

Release Date: Apr 01, 2022 10:17 PM

Fix Resolution : org.springframework:spring-webflux:5.2.20.RELEASE,org.springframework:spring-webflux:5.3.18,org.springframework:spring-webmvc:5.3.18,org.springframework:spring-webmvc:5.2.20.RELEASE,org.springframework:spring-beans:5.2.20.RELEASE,org.springframework.boot:spring-boot-starter-webflux:2.5.12,org.springframework.boot:spring-boot-starter-webflux:2.6.6,org.springframework:spring-beans:5.3.18,org.springframework.boot:spring-boot-starter-web:2.5.12,org.springframework.boot:spring-boot-starter-web:2.6.6

🔴CVE-2018-15756

Vulnerable Library - spring-web-4.2.0.RELEASE.jar

Spring Web

Library home page: http://projects.spring.io/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/4.2.0.RELEASE/spring-web-4.2.0.RELEASE.jar

Dependency Hierarchy:

  • spring-web-4.2.0.RELEASE.jar (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- com.visualpathit.account.controller.FileUploadController (Application)
    - org.springframework.web.multipart.support.StandardMultipartHttpServletRequest$StandardMultipartFile (Extension)
        - org.springframework.web.multipart.support.StandardMultipartHttpServletRequest (Extension)
            - org.springframework.http.HttpHeaders (Extension)
                -> ❌ org.springframework.http.HttpRange (Vulnerable Component)

Vulnerability Details

Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controller returns an org.springframework.core.io.Resource. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, for a denial of service attack. This vulnerability affects applications that depend on either spring-webmvc or spring-webflux. Such applications must also have a registration for serving static resources (e.g. JS, CSS, images, and others), or have an annotated controller that returns an org.springframework.core.io.Resource. Spring Boot applications that depend on spring-boot-starter-web or spring-boot-starter-webflux are ready to serve static resources out of the box and are therefore vulnerable.

Publish Date: Oct 18, 2018 10:00 PM

URL: CVE-2018-15756

Threat Assessment

Exploit Maturity:Not Defined

EPSS:5.5%

Score: 8.7

Suggested Fix

Type: Upgrade version

Origin: GHSA-ffvq-7w96-97p7

Release Date: Oct 18, 2018 10:00 PM

Fix Resolution : org.springframework:spring-core:5.0.10.RELEASE,org.springframework:spring-core:5.1.1.RELEASE,org.springframework:spring-core:4.3.20.RELEASE

🔴CVE-2018-15756

Vulnerable Library - spring-core-4.2.0.RELEASE.jar

Spring Core

Library home page: http://projects.spring.io/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-core/4.2.0.RELEASE/spring-core-4.2.0.RELEASE.jar

Dependency Hierarchy:

  • spring-web-4.2.0.RELEASE.jar (Root Library)
    • spring-aop-4.2.0.RELEASE.jar
      • spring-beans-4.2.0.RELEASE.jar
        • spring-core-4.2.0.RELEASE.jar (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- com.visualpathit.account.validator.UserValidator (Application)
    - org.springframework.messaging.simp.config.AbstractMessageBrokerConfiguration$1 (Extension)
        - org.springframework.messaging.simp.config.AbstractMessageBrokerConfiguration (Extension)
            - org.springframework.messaging.handler.annotation.support.HeaderMethodArgumentResolver (Extension)
                - org.springframework.beans.factory.config.ConfigurableBeanFactory (Extension)
                    - org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor (Extension)
                        - org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor$AutowiredFieldElement (Extension)
                            - org.springframework.beans.factory.support.DefaultListableBeanFactory (Extension)
                                - org.springframework.beans.factory.support.CglibSubclassingInstantiationStrategy (Extension)
                                    - org.springframework.beans.factory.support.CglibSubclassingInstantiationStrategy$CglibSubclassCreator (Extension)
                                        - org.springframework.cglib.proxy.Enhancer (Extension)
                                            - org.springframework.cglib.proxy.MixinBeanEmitter (Extension)
                                                -> ❌ org.springframework.core.type.classreading.RecursiveAnnotationArrayVisitor (Vulnerable Component)

Vulnerability Details

Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controller returns an org.springframework.core.io.Resource. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, for a denial of service attack. This vulnerability affects applications that depend on either spring-webmvc or spring-webflux. Such applications must also have a registration for serving static resources (e.g. JS, CSS, images, and others), or have an annotated controller that returns an org.springframework.core.io.Resource. Spring Boot applications that depend on spring-boot-starter-web or spring-boot-starter-webflux are ready to serve static resources out of the box and are therefore vulnerable.

Publish Date: Oct 18, 2018 10:00 PM

URL: CVE-2018-15756

Threat Assessment

Exploit Maturity:Not Defined

EPSS:5.5%

Score: 8.7

Suggested Fix

Type: Upgrade version

Origin: GHSA-ffvq-7w96-97p7

Release Date: Oct 18, 2018 10:00 PM

Fix Resolution : org.springframework:spring-core:5.0.10.RELEASE,org.springframework:spring-core:5.1.1.RELEASE,org.springframework:spring-core:4.3.20.RELEASE

🔴CVE-2018-1271

Vulnerable Library - spring-core-4.2.0.RELEASE.jar

Spring Core

Library home page: http://projects.spring.io/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-core/4.2.0.RELEASE/spring-core-4.2.0.RELEASE.jar

Dependency Hierarchy:

  • spring-web-4.2.0.RELEASE.jar (Root Library)
    • spring-aop-4.2.0.RELEASE.jar
      • spring-beans-4.2.0.RELEASE.jar
        • spring-core-4.2.0.RELEASE.jar (Vulnerable Library)

Vulnerability Details

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.

Publish Date: Apr 06, 2018 01:00 PM

URL: CVE-2018-1271

Threat Assessment

Exploit Maturity:Not Defined

EPSS:91.2%

Score: 8.2

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1271

Release Date: Apr 06, 2018 01:00 PM

Fix Resolution : org.springframework:spring-webflux:5.0.5.RELEASE,org.springframework:spring-webmvc:4.3.15.RELEASE,5.0.5.RELEASE

🔴CVE-2018-1272

Vulnerable Library - spring-core-4.2.0.RELEASE.jar

Spring Core

Library home page: http://projects.spring.io/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-core/4.2.0.RELEASE/spring-core-4.2.0.RELEASE.jar

Dependency Hierarchy:

  • spring-web-4.2.0.RELEASE.jar (Root Library)
    • spring-aop-4.2.0.RELEASE.jar
      • spring-beans-4.2.0.RELEASE.jar
        • spring-core-4.2.0.RELEASE.jar (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- com.visualpathit.account.validator.UserValidator (Application)
    - org.springframework.messaging.simp.config.AbstractMessageBrokerConfiguration$1 (Extension)
        - org.springframework.messaging.simp.config.AbstractMessageBrokerConfiguration (Extension)
            -> ❌ org.springframework.util.MimeTypeUtils (Vulnerable Component)

Vulnerability Details

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.

Publish Date: Apr 06, 2018 01:00 PM

URL: CVE-2018-1272

Threat Assessment

Exploit Maturity:Not Defined

EPSS:1.2%

Score: 7.7

Suggested Fix

Type: Upgrade version

Origin: https://tanzu.vmware.com/security/cve-2018-1272

Release Date: Apr 06, 2018 01:00 PM

Fix Resolution : org.springframework:spring-core:4.3.15.RELEASE,5.0.5.RELEASE;org.springframework:spring-web:4.3.15.RELEASE,5.0.5.RELEASE

🔴CVE-2018-1257

Vulnerable Library - spring-core-4.2.0.RELEASE.jar

Spring Core

Library home page: http://projects.spring.io/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-core/4.2.0.RELEASE/spring-core-4.2.0.RELEASE.jar

Dependency Hierarchy:

  • spring-web-4.2.0.RELEASE.jar (Root Library)
    • spring-aop-4.2.0.RELEASE.jar
      • spring-beans-4.2.0.RELEASE.jar
        • spring-core-4.2.0.RELEASE.jar (Vulnerable Library)

Vulnerability Details

Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack.

Publish Date: May 11, 2018 08:00 PM

URL: CVE-2018-1257

Threat Assessment

Exploit Maturity:Not Defined

EPSS:1.8%

Score: 7.1

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-1257

Release Date: May 11, 2018 08:00 PM

Fix Resolution : 5.0.6,4.3.17

🔴CVE-2022-22950

Vulnerable Library - spring-expression-4.2.0.RELEASE.jar

Spring Expression Language (SpEL)

Library home page: http://projects.spring.io/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.0.RELEASE/spring-expression-4.2.0.RELEASE.jar

Dependency Hierarchy:

  • spring-web-4.2.0.RELEASE.jar (Root Library)
    • spring-context-4.2.0.RELEASE.jar
      • spring-expression-4.2.0.RELEASE.jar (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- com.visualpathit.account.validator.UserValidator (Application)
    - org.springframework.web.servlet.config.annotation.WebMvcConfigurationSupport$NoOpValidator (Extension)
        - org.springframework.web.servlet.config.annotation.WebMvcConfigurationSupport (Extension)
            - org.springframework.web.servlet.handler.AbstractHandlerMapping (Extension)
                - org.springframework.web.context.support.WebApplicationObjectSupport (Extension)
                    - org.springframework.web.context.support.StaticWebApplicationContext (Extension)
                        - org.springframework.context.support.StaticApplicationContext (Extension)
                            - org.springframework.context.event.ApplicationListenerMethodAdapter (Extension)
                                - org.springframework.expression.EvaluationContext (Extension)
                                    - org.springframework.expression.spel.support.StandardTypeComparator (Extension)
                                        -> ❌ org.springframework.expression.spel.SpelMessage (Vulnerable Component)

Vulnerability Details

n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.

Publish Date: Apr 01, 2022 10:17 PM

URL: CVE-2022-22950

Threat Assessment

Exploit Maturity:Not Defined

EPSS:4.1%

Score: 7.1

Suggested Fix

Type: Upgrade version

Origin: GHSA-558x-2xjg-6232

Release Date: Apr 01, 2022 10:17 PM

Fix Resolution : org.springframework:spring-expression:5.2.20.RELEASE,org.springframework:spring-expression:5.3.17

🔴CVE-2023-20861

Vulnerable Library - spring-expression-4.2.0.RELEASE.jar

Spring Expression Language (SpEL)

Library home page: http://projects.spring.io/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.0.RELEASE/spring-expression-4.2.0.RELEASE.jar

Dependency Hierarchy:

  • spring-web-4.2.0.RELEASE.jar (Root Library)
    • spring-context-4.2.0.RELEASE.jar
      • spring-expression-4.2.0.RELEASE.jar (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- com.visualpathit.account.validator.UserValidator (Application)
    - org.springframework.validation.beanvalidation.LocalValidatorFactoryBean (Extension)
        - org.springframework.context.support.AbstractApplicationContext (Extension)
            - org.springframework.context.expression.StandardBeanExpressionResolver (Extension)
                - org.springframework.expression.spel.standard.SpelExpressionParser (Extension)
                    - org.springframework.expression.spel.standard.InternalSpelExpressionParser (Extension)
                        -> ❌ org.springframework.expression.spel.ast.OperatorMatches (Vulnerable Component)

Vulnerability Details

In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.

Publish Date: Mar 23, 2023 12:00 AM

URL: CVE-2023-20861

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 7.1

Suggested Fix

Type: Upgrade version

Origin: GHSA-564r-hj7v-mcr5

Release Date: Mar 23, 2023 12:00 AM

Fix Resolution : org.springframework:spring-expression:5.3.26,org.springframework:spring-expression:6.0.7,org.springframework:spring-expression:5.2.23.RELEASE

🔴CVE-2023-20863

Vulnerable Library - spring-expression-4.2.0.RELEASE.jar

Spring Expression Language (SpEL)

Library home page: http://projects.spring.io/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.0.RELEASE/spring-expression-4.2.0.RELEASE.jar

Dependency Hierarchy:

  • spring-web-4.2.0.RELEASE.jar (Root Library)
    • spring-context-4.2.0.RELEASE.jar
      • spring-expression-4.2.0.RELEASE.jar (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- com.visualpathit.account.validator.UserValidator (Application)
    - org.springframework.web.servlet.config.annotation.WebMvcConfigurationSupport$NoOpValidator (Extension)
        - org.springframework.web.servlet.config.annotation.WebMvcConfigurationSupport (Extension)
            - org.springframework.web.servlet.handler.AbstractHandlerMapping (Extension)
                - org.springframework.web.context.support.WebApplicationObjectSupport (Extension)
                    - org.springframework.web.context.support.StaticWebApplicationContext (Extension)
                        - org.springframework.context.support.StaticApplicationContext (Extension)
                            - org.springframework.context.event.ApplicationListenerMethodAdapter (Extension)
                                - org.springframework.expression.EvaluationContext (Extension)
                                    - org.springframework.expression.spel.support.StandardTypeComparator (Extension)
                                        -> ❌ org.springframework.expression.spel.SpelMessage (Vulnerable Component)

Vulnerability Details

In spring framework versions prior to 5.2.24 release+ ,5.3.27+ and 6.0.8+ , it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.

Publish Date: Apr 13, 2023 12:00 AM

URL: CVE-2023-20863

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 7.1

Suggested Fix

Type: Upgrade version

Origin: GHSA-wxqc-pxw9-g2p8

Release Date: Apr 13, 2023 12:00 AM

Fix Resolution : org.springframework:spring-expression:5.3.27,org.springframework:spring-expression:5.2.24.RELEASE,org.springframework:spring-expression:6.0.8

🟠CVE-2022-22968

Vulnerable Library - spring-context-4.2.0.RELEASE.jar

Spring Context

Library home page: http://projects.spring.io/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-context/4.2.0.RELEASE/spring-context-4.2.0.RELEASE.jar

Dependency Hierarchy:

  • spring-web-4.2.0.RELEASE.jar (Root Library)
    • spring-context-4.2.0.RELEASE.jar (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- com.visualpathit.account.controller.UserController (Application)
    - org.springframework.validation.AbstractBindingResult (Extension)
        -> ❌ org.springframework.validation.DataBinder (Vulnerable Component)

Vulnerability Details

In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path.

Publish Date: Apr 14, 2022 08:05 PM

URL: CVE-2022-22968

Threat Assessment

Exploit Maturity:Not Defined

EPSS:16.2%

Score: 6.9

Suggested Fix

Type: Upgrade version

Origin: GHSA-g5mm-vmx4-3rg7

Release Date: Apr 14, 2022 08:05 PM

Fix Resolution : org.springframework:spring-context:5.2.21.RELEASE,org.springframework:spring-context:5.3.19

🟠CVE-2022-22970

Vulnerable Library - spring-core-4.2.0.RELEASE.jar

Spring Core

Library home page: http://projects.spring.io/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-core/4.2.0.RELEASE/spring-core-4.2.0.RELEASE.jar

Dependency Hierarchy:

  • spring-web-4.2.0.RELEASE.jar (Root Library)
    • spring-aop-4.2.0.RELEASE.jar
      • spring-beans-4.2.0.RELEASE.jar
        • spring-core-4.2.0.RELEASE.jar (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- com.visualpathit.account.validator.UserValidator (Application)
    - org.springframework.validation.beanvalidation.OptionalValidatorFactoryBean (Extension)
        - org.springframework.context.support.ClassPathXmlApplicationContext (Extension)
            - org.springframework.core.env.ConfigurableEnvironment (Extension)
                - org.springframework.core.env.MutablePropertySources (Extension)
                    - org.springframework.core.io.support.ResourcePropertySource (Extension)
                        -> ❌ org.springframework.core.io.AbstractFileResolvingResource (Vulnerable Component)

Vulnerability Details

In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.

Publish Date: May 12, 2022 07:28 PM

URL: CVE-2022-22970

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 6.0

Suggested Fix

Type: Upgrade version

Origin: GHSA-hh26-6xwr-ggv7

Release Date: May 12, 2022 07:28 PM

Fix Resolution : org.springframework:spring-beans:5.2.22.RELEASE,org.springframework:spring-beans:5.3.20

🟠CVE-2022-22970

Vulnerable Library - spring-beans-4.2.0.RELEASE.jar

Spring Beans

Library home page: http://projects.spring.io/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-beans/4.2.0.RELEASE/spring-beans-4.2.0.RELEASE.jar

Dependency Hierarchy:

  • spring-web-4.2.0.RELEASE.jar (Root Library)
    • spring-aop-4.2.0.RELEASE.jar
      • spring-beans-4.2.0.RELEASE.jar (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- com.visualpathit.account.controller.UserController (Application)
    - org.springframework.validation.AbstractBindingResult (Extension)
        - org.springframework.validation.DataBinder (Extension)
            - org.springframework.beans.PropertyAccessorUtils (Extension)
                - org.springframework.beans.BeanWrapperImpl (Extension)
                    -> ❌ org.springframework.beans.CachedIntrospectionResults (Vulnerable Component)

Vulnerability Details

In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.

Publish Date: May 12, 2022 07:28 PM

URL: CVE-2022-22970

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 6.0

Suggested Fix

Type: Upgrade version

Origin: GHSA-hh26-6xwr-ggv7

Release Date: May 12, 2022 07:28 PM

Fix Resolution : org.springframework:spring-beans:5.2.22.RELEASE,org.springframework:spring-beans:5.3.20

🟠CVE-2021-22060

Vulnerable Library - spring-core-4.2.0.RELEASE.jar

Spring Core

Library home page: http://projects.spring.io/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-core/4.2.0.RELEASE/spring-core-4.2.0.RELEASE.jar

Dependency Hierarchy:

  • spring-web-4.2.0.RELEASE.jar (Root Library)
    • spring-aop-4.2.0.RELEASE.jar
      • spring-beans-4.2.0.RELEASE.jar
        • spring-core-4.2.0.RELEASE.jar (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- com.visualpathit.account.validator.UserValidator (Application)
    - org.springframework.messaging.simp.config.AbstractMessageBrokerConfiguration$1 (Extension)
        - org.springframework.messaging.simp.config.AbstractMessageBrokerConfiguration (Extension)
            - org.springframework.context.ApplicationContext (Extension)
                - org.springframework.beans.factory.config.AutowireCapableBeanFactory (Extension)
                    - org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory$AutowireByTypeDependencyDescriptor (Extension)
                        - org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory (Extension)
                            - org.springframework.beans.factory.config.AbstractFactoryBean (Extension)
                                - org.springframework.beans.factory.xml.XmlBeanFactory (Extension)
                                    - org.springframework.beans.factory.support.DefaultListableBeanFactory$FactoryAwareOrderSourceProvider (Extension)
                                        - org.springframework.core.OrderComparator (Extension)
                                            -> ❌ org.springframework.core.OrderComparator$1 (Vulnerable Component)

Vulnerability Details

In Spring Framework versions 5.3.0 - 5.3.13, 5.2.0 - 5.2.18, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries. This is a follow-up to CVE-2021-22096 that protects against additional types of input and in more places of the Spring Framework codebase.

Publish Date: Jan 07, 2022 10:39 PM

URL: CVE-2021-22060

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 5.3

Suggested Fix

Type: Upgrade version

Origin: GHSA-6gf2-pvqw-37ph

Release Date: Jan 07, 2022 10:39 PM

Fix Resolution : org.springframework:spring-core:5.3.14

🟠CVE-2021-22096

Vulnerable Library - spring-web-4.2.0.RELEASE.jar

Spring Web

Library home page: http://projects.spring.io/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/4.2.0.RELEASE/spring-web-4.2.0.RELEASE.jar

Dependency Hierarchy:

  • spring-web-4.2.0.RELEASE.jar (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- com.visualpathit.account.validator.UserValidator (Application)
    - org.springframework.web.servlet.config.annotation.WebMvcConfigurationSupport$NoOpValidator (Extension)
        - org.springframework.web.servlet.config.annotation.WebMvcConfigurationSupport (Extension)
            - org.springframework.http.converter.StringHttpMessageConverter (Extension)
                - org.springframework.web.client.AsyncRestTemplate$AsyncRequestCallbackAdapter$1 (Extension)
                    - org.springframework.web.client.AsyncRestTemplate (Extension)
                        -> ❌ org.springframework.web.client.DefaultResponseErrorHandler (Vulnerable Component)

Vulnerability Details

In Spring Framework versions 5.3.0 - 5.3.10, 5.2.0 - 5.2.17, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries.

Publish Date: Oct 28, 2021 03:22 PM

URL: CVE-2021-22096

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 5.3

Suggested Fix

Type: Upgrade version

Origin:

Release Date:

Fix Resolution :

🟠CVE-2021-22096

Vulnerable Library - spring-core-4.2.0.RELEASE.jar

Spring Core

Library home page: http://projects.spring.io/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-core/4.2.0.RELEASE/spring-core-4.2.0.RELEASE.jar

Dependency Hierarchy:

  • spring-web-4.2.0.RELEASE.jar (Root Library)
    • spring-aop-4.2.0.RELEASE.jar
      • spring-beans-4.2.0.RELEASE.jar
        • spring-core-4.2.0.RELEASE.jar (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- com.visualpathit.account.validator.UserValidator (Application)
    - org.springframework.web.servlet.config.annotation.WebMvcConfigurationSupport$NoOpValidator (Extension)
        - org.springframework.web.servlet.config.annotation.WebMvcConfigurationSupport (Extension)
            - org.springframework.http.MediaType (Extension)
                -> ❌ org.springframework.util.MimeType (Vulnerable Component)

Vulnerability Details

In Spring Framework versions 5.3.0 - 5.3.10, 5.2.0 - 5.2.17, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries.

Publish Date: Oct 28, 2021 03:22 PM

URL: CVE-2021-22096

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 5.3

Suggested Fix

Type: Upgrade version

Origin:

Release Date:

Fix Resolution :

🟠WS-2016-7112

Vulnerable Library - spring-context-4.2.0.RELEASE.jar

Spring Context

Library home page: http://projects.spring.io/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-context/4.2.0.RELEASE/spring-context-4.2.0.RELEASE.jar

Dependency Hierarchy:

  • spring-web-4.2.0.RELEASE.jar (Root Library)
    • spring-context-4.2.0.RELEASE.jar (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- com.visualpathit.account.validator.UserValidator (Application)
    - org.springframework.validation.beanvalidation.OptionalValidatorFactoryBean (Extension)
        - org.springframework.context.support.AbstractApplicationContext (Extension)
            - org.springframework.scheduling.annotation.ScheduledAnnotationBeanPostProcessor (Extension)
                - org.springframework.scheduling.support.CronTrigger (Extension)
                    -> ❌ org.springframework.scheduling.support.CronSequenceGenerator (Vulnerable Component)

Vulnerability Details

In Spring Framework, versions 3.0.0.RELEASE through 3.2.17.RELEASE, 4.0.0.RELEASE through 4.2.7.RELEASE and 4.3.0.RELEASE through 4.3.1.RELEASE are vulnerable to Stack-based Buffer Overflow, which allows an authenticated attacker to crash the application when giving CronSequenceGenerator a reversed range in the “minutes” or “hours” fields.

Publish Date: Sep 23, 2021 12:00 AM

URL: WS-2016-7112

Threat Assessment

Exploit Maturity:N/A

EPSS:N/A

Score: 4.9

Suggested Fix

Type: Upgrade version

Origin: https://github.com/spring-projects/spring-framework/releases/tag/v5.0.0.M1

Release Date: Jul 14, 2016 12:00 AM

Fix Resolution : org.springframework:spring-context:3.2.18.RELEASE,4.2.8.RELEASE,4.3.2.RELEASE,5.0.0.RELEASE

🟡CVE-2024-38820

Vulnerable Library - spring-web-4.2.0.RELEASE.jar

Spring Web

Library home page: http://projects.spring.io/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/4.2.0.RELEASE/spring-web-4.2.0.RELEASE.jar

Dependency Hierarchy:

  • spring-web-4.2.0.RELEASE.jar (Vulnerable Library)

Vulnerability Details

The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase() has some Locale dependent exceptions that could potentially result in fields not protected as expected.

Publish Date: Oct 18, 2024 05:39 AM

URL: CVE-2024-38820

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 2.3

Suggested Fix

Type: Upgrade version

Origin: GHSA-4gc7-5j7h-4qph

Release Date: Oct 18, 2024 05:39 AM

Fix Resolution : org.springframework:spring-context:6.1.14

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions