Spring By Pivotal Spring Framework vulnerabilities
6 known vulnerabilities affecting spring_by_pivotal/spring_framework.
Total CVEs
6
CISA KEV
1
actively exploited
Public exploits
2
Exploited in wild
1
Severity breakdown
CRITICAL3HIGH2MEDIUM1
Vulnerabilities
Page 1 of 1
CVE-2018-1274HIGHCVSS 7.5vVersions 1.13 to 1.13.10, 2.0 to 2.0.52018-04-18
CVE-2018-1274 [HIGH] CWE-770 CVE-2018-1274: Spring Data Commons, versions 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain
Spring Data Commons, versions 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property path parser vulnerability caused by unlimited resource allocation. An unauthenticated remote malicious user (or attacker) can issue requests against Spring Data REST endpoints or endpoints using property path parsing which can cause a denial o
cvelistv5nvd
CVE-2018-1273CRITICALCVSS 9.8KEVPoCvVersions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions2018-04-11
CVE-2018-1273 [CRITICAL] CWE-94 CVE-2018-1273: Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions
Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property binder vulnerability caused by improper neutralization of special elements. An unauthenticated remote malicious user (or attacker) can supply specially crafted request parameters against Spring Data REST backed HTTP resources or us
cvelistv5nvd
CVE-2018-1275CRITICALCVSS 9.8vVersions prior to 5.0.5 and 4.3.162018-04-11
CVE-2018-1275 [CRITICAL] CWE-94 CVE-2018-1275: Spring Framework, versions 5
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.16 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack. This CVE addresses the partial fix for CVE-2018-1270 in the 4.3.
cvelistv5
CVE-2018-1270CRITICALCVSS 9.8vVersions prior to 5.0.5 and 4.3.162018-04-06
CVE-2018-1270 [CRITICAL] CWE-94 CVE-2018-1270: Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution
cvelistv5nvd
CVE-2018-1272HIGHCVSS 7.5vVersions prior to 5.0.5 and 4.3.152018-04-06
CVE-2018-1272 [HIGH] CVE-2018-1272: Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be expose
cvelistv5nvd
CVE-2018-1271MEDIUMCVSS 5.9PoCvVersions prior to 5.0.5 and 4.3.152018-04-06
CVE-2018-1271 [MEDIUM] CWE-22 CVE-2018-1271: Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a reque
cvelistv5nvd