Springsource Spring Framework vulnerabilities
5 known vulnerabilities affecting springsource/spring_framework.
Total CVEs
5
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
HIGH1MEDIUM4
Vulnerabilities
Page 1 of 1
CVE-2014-0054MEDIUMCVSS 6.8v3.0.0v3.0.0.m1+10 more2014-04-17
CVE-2014-0054 [MEDIUM] CVE-2014-0054: The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 be
The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because o
nvd
CVE-2013-7315MEDIUMCVSS 6.8v3.0.0v3.0.0.m1+6 more2014-01-23
CVE-2013-7315 [MEDIUM] CVE-2013-7315: The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable exter
The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB, aka an XML External Entity (XXE) issue, and a different vulnerab
nvd
CVE-2013-4152MEDIUMCVSS 6.8v3.0.0v3.0.0.m1+6 more2014-01-23
CVE-2013-4152 [MEDIUM] CWE-264 CVE-2013-4152: The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller
The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource
nvd
CVE-2011-2730HIGHCVSS 7.5≤ 2.5.7_sr01≤ 3.0.5+13 more2012-12-05
CVE-2011-2730 [HIGH] CWE-16 CVE-2011-2730: VMware SpringSource Spring Framework before 2.5.6.SEC03, 2.5.7.SR023, and 3.x before 3.0.6, when a c
VMware SpringSource Spring Framework before 2.5.6.SEC03, 2.5.7.SR023, and 3.x before 3.0.6, when a container supports Expression Language (EL), evaluates EL expressions in tags twice, which allows remote attackers to obtain sensitive information via a (1) name attribute in a (a) spring:hasBindErrors tag; (2) path attribute in a (b) spring:bind or (c) spr
nvd
CVE-2010-1622MEDIUMCVSS 6.0PoCv2.5.0v2.5.1+9 more2010-06-21
CVE-2010-1622 [MEDIUM] CWE-94 CVE-2010-1622: SpringSource Spring Framework 2.5.x before 2.5.6.SEC02, 2.5.7 before 2.5.7.SR01, and 3.0.x before 3.
SpringSource Spring Framework 2.5.x before 2.5.6.SEC02, 2.5.7 before 2.5.7.SR01, and 3.0.x before 3.0.3 allows remote attackers to execute arbitrary code via an HTTP request containing class.classLoader.URLs[0]=jar: followed by a URL of a crafted .jar file.
nvd