This Week in Spring - September 2nd, 2025

Hi, Spring fans! Welcome to another installment of This Week in Spring! I'm in Frankfurt, awaiting my flight to the Java-tastic Javazone 2025 event where I'll be joined by the legendary James Ward to deliver an AI-focused look at the latest-and-greatest in Spring! And I'm still recovering from th...

Linux Distros Unpatched Vulnerability : CVE-2025-41242

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Spring Framework MVC applications can be vulnerable to a Path Traversal Vulnerability when deployed on a non-compliant Servlet container. An application can be...

Linux Distros Unpatched Vulnerability : CVE-2021-22060

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In Spring Framework versions 5.3.0 - 5.3.13, 5.2.0 - 5.2.18, and older unsupported versions, it is possible for a user to provide malicious input to cause the...

Linux Distros Unpatched Vulnerability : CVE-2020-5398

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In Spring Framework, versions 5.2.x prior to 5.2.3, versions 5.1.x prior to 5.1.13, and versions 5.0.x prior to 5.0.16, an application is vulnerable to a...

Linux Distros Unpatched Vulnerability : CVE-2018-11039

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Spring Framework versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions allow web applications to change the HTTP request...

Linux Distros Unpatched Vulnerability : CVE-2020-17510

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass. CVE-2020-17510 Note that...

Security Bulletin: IBM watsonx Orchestrate Cartridge affected by vulnerability in spring-context-6.2.5.jar

Summary IBM watsonx Orchestrate Cartridge contains a vulnerable version of spring-context-6.2.5.jar Vulnerability Details CVEID:CVE-2025-22233 DESCRIPTION: CVE-2024-38820 ensured Locale-independent, lowercase conversion for both the configured disallowedFields patterns and for request parameter...

Linux Distros Unpatched Vulnerability : CVE-2020-5397

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Spring Framework, versions 5.2.x prior to 5.2.3 are vulnerable to CSRF attacks through CORS preflight requests that target Spring MVC spring-webmvc module or...

Linux Distros Unpatched Vulnerability : CVE-2018-11040

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain request...

Linux Distros Unpatched Vulnerability : CVE-2023-20863

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In spring framework versions prior to 5.2.24 release+ ,5.3.27+ and 6.0.8+ , it is possible for a user to provide a specially crafted SpEL expression that may...

Security Bulletin: IBM Sterling Connect:Direct for Microsoft Windows is vulnerable to an issue in Spring Framework

Summary There is vulnerability in Spring Framework used by Integrated Webservices in IBM Sterling Connect:Direct for Microsoft Windows. IBM Sterling Connect:Direct for Microsoft Windows has addressed the applicable CVE. Vulnerability Details CVEID:CVE-2025-41234 DESCRIPTION: Description In Spring...

Linux Distros Unpatched Vulnerability : CVE-2025-22233

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - CVE-2024-38820 ensured Locale-independent, lowercase conversion for both the configured disallowedFields patterns and for request parameter names. However, ther...

Linux Distros Unpatched Vulnerability : CVE-2016-5007

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping...

Linux Distros Unpatched Vulnerability : CVE-2021-22096

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In Spring Framework versions 5.3.0 - 5.3.10, 5.2.0 - 5.2.17, and older unsupported versions, it is possible for a user to provide malicious input to cause the...

Linux Distros Unpatched Vulnerability : CVE-2022-22968

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitiv...

Linux Distros Unpatched Vulnerability : CVE-2023-34053

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In Spring Framework versions 6.0.0 - 6.0.13, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service DoS...

Linux Distros Unpatched Vulnerability : CVE-2018-1257

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSock...

Spring Framework 5.3.x < 5.3.44 / 6.1.x < 6.1.22 / 6.2.x < 6.2.10 Path Traversal (CVE-2025-41242)

The version of Spring Framework installed on the remote host is 5.3.x prior to 5.3.44, 6.1.x prior to 6.1.22, or 6.2.x prior to 6.2.810. It is, therefore, affected by a path traversal vulnerability: - Spring Framework MVC applications can be vulnerable to a “Path Traversal Vulnerability” when...

VMware Spring Framework <= 5.3.43, 6.0.0 - 6.0.29, 6.1.0 - 6.1.21, 6.2.0 - 6.2.9 Path Traversal Vulnerability - Windows

The VMware Spring Framework is prone to a path traversal vulnerability. SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE =...

Linux Distros Unpatched Vulnerability : CVE-2023-20861

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide...