Lucene search
K

54 matches found

Cvelist
Cvelist
added 2026/06/11 5:4 a.m.28 views

CVE-2026-40997 SOAP security faults leak Spring Security account state

Several Spring WS integration paths with Spring Security could surface detailed account state for example locked or disabled user semantics to remote SOAP clients through exception messages or callback outcomes, instead of failing with generic authentication errors. That behavior assists remote...

5.3CVSS0.00366EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/06/11 5:4 a.m.9 views

CVE-2026-40996 Inbound WS-Security allows RSA PKCS#1 v1.5 key transport by default

Wss4jSecurityInterceptor defaulted allowRSA15KeyTransportAlgorithm to true, overriding Apache WSS4J's safer default for validation RequestData. Inbound WS-Security decryption could therefore accept RSA PKCS1 v1.5 rsa-15 encrypted key material unless operators explicitly reconfigured the flag...

4.8CVSS5.3AI score0.00129EPSS
Exploits0References1
CVE
CVE
added 2026/06/11 5:4 a.m.35 views

CVE-2026-40996

CVE-2026-40996 affects Spring Web Services where Wss4jSecurityInterceptor incorrectly defaults allowRSA15KeyTransportAlgorithm to true, overriding Apache WSS4J’s safer validation behavior for RequestData. This could allow RSA PKCS#1 v1.5 (rsa-1_5) encrypted key material in inbound WS-Security dec...

4.8CVSS5.5AI score0.00129EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/11 5:4 a.m.9 views

EUVD-2026-36205

X509AuthenticationProvider could issue a fully authenticated X509AuthenticationToken when a presented certificate mapped to UserDetails, without applying Spring Security's standard account lifecycle checks disabled, locked, expired, or credentials-expired accounts. Affected versions: Spring Web...

5.4CVSS5.4AI score0.00148EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/06/11 5:3 a.m.10 views

CVE-2026-40994 Wss4jSecurityInterceptor disables WS-I BSP validation by default

Wss4jSecurityInterceptor initialized its BSP WS-I Basic Security Profile compliance flag so that inbound validation disabled WSS4J BSP enforcement on RequestData. Services that validate WS-Security on the network could therefore accept messages that violate BSP rules, weakening protocol-level...

8.2CVSS5.3AI score0.00229EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/06/11 12:0 a.m.16 views

VMware Spring Web Services 加密问题漏洞

VMware Spring Web Services is a SOAP web service development framework provided by the American company VMware. There are vulnerabilities related to encryption in VMware Spring Web Services versions 5.0.0 to 5.0.1, 4.1.0 to 4.1.3, 4.0.0 to 4.0.18, and 3.1.0 to 3.1.8. These vulnerabilities stem fr...

4.8CVSS5.4AI score0.00129EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/11 12:0 a.m.17 views

PT-2026-48623

Name of the Vulnerable Software and Affected Versions Spring Web Services versions 5.0.0 through 5.0.1 Spring Web Services versions 4.1.0 through 4.1.3 Spring Web Services versions 4.0.0 through 4.0.18 Spring Web Services versions 3.1.0 through 3.1.8 Description The Wss4jSecurityInterceptor faile...

3.7CVSS5.8AI score0.00223EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/06/11 12:0 a.m.24 views

PT-2026-48622

Name of the Vulnerable Software and Affected Versions Spring Web Services versions 5.0.0 through 5.0.1 Spring Web Services versions 4.1.0 through 4.1.3 Spring Web Services versions 4.0.0 through 4.0.18 Spring Web Services versions 3.1.0 through 3.1.8 Description When WS-Addressing is used with...

8.6CVSS5.8AI score0.00383EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/06/11 12:0 a.m.26 views

PT-2026-48621

Name of the Vulnerable Software and Affected Versions Spring Web Services versions 5.0.0 through 5.0.1 Spring Web Services versions 4.1.0 through 4.1.3 Spring Web Services versions 4.0.0 through 4.0.18 Spring Web Services versions 3.1.0 through 3.1.8 Description Jaxp13XPathTemplate evaluated XPat...

8.2CVSS5.8AI score0.00352EPSS
Exploits0References6
CNNVD
CNNVD
added 2026/06/11 12:0 a.m.25 views

VMware Spring Web Services 代码问题漏洞

VMware Spring Web Services is a SOAP Web services development framework provided by the American company VMware. There are code vulnerabilities in versions 5.0.0 to 5.0.1, 4.1.0 to 4.1.3, 4.0.0 to 4.0.18, and 3.1.0 to 3.1.8 of VMware Spring Web Services. These vulnerabilities stem from the defaul...

8.2CVSS5.5AI score0.00352EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/06/11 12:0 a.m.20 views

VMware Spring Web Services 代码问题漏洞

VMware Spring Web Services is a SOAP Web services development framework provided by the American company VMware. There are code vulnerabilities in versions 5.0.0 to 5.0.1, 4.1.0 to 4.1.3, 4.0.0 to 4.0.18, and 3.1.0 to 3.1.8 of VMware Spring Web Services. These vulnerabilities stem from the use of...

8.6CVSS5.4AI score0.00383EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/06/11 12:0 a.m.14 views

VMware Spring Web Services 安全漏洞

VMware Spring Web Services is a SOAP Web services development framework provided by the American company VMware. There are security vulnerabilities in versions 5.0.0 to 5.0.1, 4.1.0 to 4.1.3, 4.0.0 to 4.0.18, and 3.1.0 to 3.1.8 of VMware Spring Web Services. These vulnerabilities stem from the...

5.3CVSS5.5AI score0.00366EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/11 12:0 a.m.22 views

PT-2026-48617

Name of the Vulnerable Software and Affected Versions Spring Web Services versions 5.0.0 through 5.0.1 Spring Web Services versions 4.1.0 through 4.1.3 Spring Web Services versions 4.0.0 through 4.0.18 Spring Web Services versions 3.1.0 through 3.1.8 Description The Wss4jSecurityInterceptor...

8.2CVSS5.8AI score0.00229EPSS
Exploits0References7
CNNVD
CNNVD
added 2026/06/11 12:0 a.m.19 views

VMware Spring Web Services 安全漏洞

VMware Spring Web Services is a SOAP Web services development framework provided by the American company VMware. There are security vulnerabilities in versions 5.0.0 to 5.0.1, 4.1.0 to 4.1.3, 4.0.0 to 4.0.18, and 3.1.0 to 3.1.8 of VMware Spring Web Services. These vulnerabilities stem from the...

8.2CVSS5.3AI score0.00229EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/11 12:0 a.m.24 views

PT-2026-48618

Name of the Vulnerable Software and Affected Versions Spring Web Services versions 5.0.0 through 5.0.1 Spring Web Services versions 4.1.0 through 4.1.3 Spring Web Services versions 4.0.0 through 4.0.18 Spring Web Services versions 3.1.0 through 3.1.8 Description X509AuthenticationProvider could...

5.4CVSS5.8AI score0.00148EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/11 12:0 a.m.18 views

PT-2026-48620

Name of the Vulnerable Software and Affected Versions Spring Web Services versions 5.0.0 through 5.0.1 Spring Web Services versions 4.1.0 through 4.1.3 Spring Web Services versions 4.0.0 through 4.0.18 Spring Web Services versions 3.1.0 through 3.1.8 Description Integration paths between Spring W...

5.3CVSS5.8AI score0.00366EPSS
Exploits0References7
Spring Security Advisories
Spring Security Advisories
added 2026/06/10 12:0 a.m.8 views

CVE-2026-40999: Spring WS SSRF via unvalidated WS-Addressing reply destinations

When WS-Addressing is used with non-anonymous ReplyTo or FaultTo addresses, Spring WS may initiate outbound connections through configured WebServiceMessageSender instances to destinations taken directly from request headers without verifying that those destinations are safe to connect to. A remo...

8.6CVSS5.9AI score0.00383EPSS
Exploits0References1Affected Software1
Snyk
Snyk
added 2026/06/10 12:0 a.m.8 views

Insecure Defaults

Overview Affected versions of this package are vulnerable to Insecure Defaults due to the Wss4jSecurityInterceptor class in Wss4jSecurityInterceptor.java initializing its bspCompliant flag to false, so inbound validation always calls RequestData.setDisableBSPEnforcementtrue and disables WSS4J's...

8.8CVSS5.4AI score0.00229EPSS
Exploits0References2
Spring Security Advisories
Spring Security Advisories
added 2025/12/16 12:0 a.m.8 views

This Week in Spring – December 16th, 2025

Hi, Spring fans! Welcome to another installment of This Week in Spring! And what a week it’s been! We’ve got around nine shopping days ’til Christmas, and the New Year is almost here! Things are moving so quickly and the Spring community is no exception! Let's dive into this week's wonderful...

6.8AI score
Exploits0
Spring Security Advisories
Spring Security Advisories
added 2025/07/22 12:0 a.m.20 views

This Week in Spring - July 22nd, 2025

Hi, Spring fans! It's almost SpringOne time!! AAAAH it's all moving so quickly! I can hardly stand it. SpringOne's next month, in lovely Las Vegas, and I'll be there. Will you? Have you registered? We'll be looking at the impending Spring Boot 4.0 and Spring Framework 7.0 releases! It's going to ...

7.1AI score
Exploits0
Rows per page
Query Builder