Vulnerabilities > Vmware > Spring Framework > 3.1.1
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2023-03-23 | CVE-2023-20861 | Unspecified vulnerability in VMWare Spring Framework In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition. | 6.5 |
2022-05-12 | CVE-2022-22970 | Allocation of Resources Without Limits or Throttling vulnerability in multiple products In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object. | 5.3 |
2022-04-14 | CVE-2022-22968 | Improper Handling of Case Sensitivity vulnerability in multiple products In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path. | 5.3 |
2022-04-01 | CVE-2022-22950 | Allocation of Resources Without Limits or Throttling vulnerability in VMWare Spring Framework n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition. | 4.0 |
2022-04-01 | CVE-2022-22965 | Code Injection vulnerability in multiple products A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. | 9.8 |
2020-09-19 | CVE-2020-5421 | In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter. | 6.5 |
2020-01-02 | CVE-2016-1000027 | Deserialization of Untrusted Data vulnerability in VMWare Spring Framework Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. | 9.8 |
2018-04-06 | CVE-2018-1270 | Code Injection vulnerability in multiple products Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. | 9.8 |
2017-05-25 | CVE-2014-0225 | XXE vulnerability in multiple products When processing user provided XML documents, the Spring Framework 4.0.0 to 4.0.4, 3.0.0 to 3.2.8, and possibly earlier unsupported versions did not disable by default the resolution of URI references in a DTD declaration. | 6.8 |
2014-04-17 | CVE-2014-0054 | Cross-Site Request Forgery (CSRF) vulnerability in multiple products The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. | 6.8 |