GHSA-8CRV-49FR-2H6J Spring Security and Spring Framework may not recognize certain paths that should be protected

Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x as well as other unsupported versions rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms,...

Files or Directories Accessible to External Parties in org.springframework:spring-core

Under some situations, the Spring Framework 4.2.0 to 4.2.1, 4.0.0 to 4.1.7, 3.2.0 to 3.2.14 and older unsupported versions is vulnerable to a Reflected File Download RFD attack. The attack involves a malicious user crafting a URL with a batch script extension that results in the response being...

ai.minxiao:ds4s-cdl4j_2.11 (>=0.1.0 <=0.1.2), am.ik.springmvc:new-controller (>=0.1.0 <=0.2.0) +4509 more potentially affected by CVE-2015-5211 via org.springframework:spring-core (>=4.0.0.RELEASE <=4.1.7.RELEASE)

org.springframework:spring-core MAVEN version =4.0.0.RELEASE, =0.1.0, =0.1.0, =1.0.0, =0.2, =1.3.1-RELEASE, =1.0, =2.2.0, =2.4.0, =2.4.3 and more Source cves: CVE-2015-5211 Source advisory: OSV:GHSA-PGF9-H69P-PCGF...

at.chrl:chrl-jms (=1.1.0), at.chrl:chrl-orm-spring-integration (=1.1.0) +594 more potentially affected by CVE-2015-5211 via org.springframework:spring-core (>=4.2.0.RELEASE <=4.2.1.RELEASE)

org.springframework:spring-core MAVEN version =4.2.0.RELEASE, =1.0.0, =4.0.1.Final, =0.15.0, =0.13.2, =0.13.2, =1.0.6, =1.1.0, =1.0.109-RELEASE, =1.0.109-RELEASE, =1.0.109-RELEASE, =1.0.109-RELEASE, =1.0.120-RELEASE and more Source cves: CVE-2015-5211 Source advisory: OSV:GHSA-PGF9-H69P-PCGF...

GHSA-PGF9-H69P-PCGF Files or Directories Accessible to External Parties in org.springframework:spring-core

Under some situations, the Spring Framework 4.2.0 to 4.2.1, 4.0.0 to 4.1.7, 3.2.0 to 3.2.14 and older unsupported versions is vulnerable to a Reflected File Download RFD attack. The attack involves a malicious user crafting a URL with a batch script extension that results in the response being...

ColumnPack:ColumnPack-plugin (=1.0.3), CustomHistory:CustomHistory (>=1.1 <=1.3) +8872 more potentially affected by CVE-2015-5211 via org.springframework:spring-core (>=1.2 <=3.2.14.RELEASE)

org.springframework:spring-core MAVEN version =1.2, =1.1, =1.3, =0.0.1, =1.0, =5.0.9, =0.0.20, =1.0.0-alpha-1, =1.0, =1.0, =0.3, =0.7, =0.8 and more Source cves: CVE-2015-5211 Source advisory: OSV:GHSA-PGF9-H69P-PCGF...

ColumnPack:ColumnPack-plugin (=1.0.3), CustomHistory:CustomHistory (>=1.1 <=1.3) +4985 more potentially affected by CVE-2015-3192 via org.springframework:spring-web (>=1.2.1 <=3.2.13.RELEASE)

org.springframework:spring-web MAVEN version =1.2.1, =1.1, =0.0.1, =1.0, =0.0.20, =1.0.0-alpha-1, =1.0, =2.0, =1.1.1, =1.0.2, =1.1.2, =1.2, =1.3 and more Source cves: CVE-2015-3192 Source advisory: OSV:GHSA-6V7W-535J-RQ5M...

Pivotal Spring Framework DoS Attack with XML Input

Pivotal Spring Framework before 3.2.14 and 4.x before 4.1.7 do not properly process inline DTD declarations when DTD is not entirely disabled, which allows remote attackers to cause a denial of service memory consumption and out-of-memory errors via a crafted XML file...

am.ik.springmvc:new-controller (>=0.1.0 <=0.2.0), am.ik.woothee:woothee-spring (=1.0.0) +1729 more potentially affected by CVE-2015-3192 via org.springframework:spring-web (>=4.0.0.RELEASE <=4.1.6.RELEASE)

org.springframework:spring-web MAVEN version =4.0.0.RELEASE, =0.1.0, =1.0.0, =1.3.1-RELEASE, =0.0.6, =0.9.0-1, =1.0.0 and more Source cves: CVE-2015-3192 Source advisory: OSV:GHSA-6V7W-535J-RQ5M...

GHSA-6V7W-535J-RQ5M Pivotal Spring Framework DoS Attack with XML Input

Pivotal Spring Framework before 3.2.14 and 4.x before 4.1.7 do not properly process inline DTD declarations when DTD is not entirely disabled, which allows remote attackers to cause a denial of service memory consumption and out-of-memory errors via a crafted XML file...

Moderate severity vulnerability that affects org.springframework:spring-core

The Java SockJS client in Pivotal Spring Framework 4.1.x before 4.1.5 generates predictable session ids, which allows remote attackers to send messages to other sessions via unspecified vectors...

am.ik.springmvc:new-controller (>=0.1.0 <=0.2.0), am.ik.woothee:woothee-spring (=1.0.0) +1180 more potentially affected by CVE-2015-0201 via org.springframework:spring-core (>=4.1.0.RELEASE <=4.1.4.RELEASE)

org.springframework:spring-core MAVEN version =4.1.0.RELEASE, =0.1.0, =1.0, =0.0.1, =0.0.1, =0.7, =1.5.0, =1.0.1, =1.1.0 and more Source cves: CVE-2015-0201 Source advisory: OSV:GHSA-45VG-2V73-VM62...

GHSA-45VG-2V73-VM62 Moderate severity vulnerability that affects org.springframework:spring-core

The Java SockJS client in Pivotal Spring Framework 4.1.x before 4.1.5 generates predictable session ids, which allows remote attackers to send messages to other sessions via unspecified vectors...

ca.uhn.hapi.fhir:hapi-fhir-cli-api (=3.4.0), ca.uhn.hapi.fhir:hapi-fhir-jpaserver-base (>=3.1.0 <=3.4.0) +463 more potentially affected by CVE-2018-1275 via org.springframework:spring-messaging (>=5.0.0.RELEASE <=5.0.4.RELEASE)

org.springframework:spring-messaging MAVEN version =5.0.0.RELEASE, =3.1.0, =0.2.0, =B.0.0.1, =B.0.0.1, =B.0.0.6 and more Source cves: CVE-2018-1275 Source advisory: OSV:GHSA-3RMV-2PG5-XVQJ...

Spring Framework has Improperly Implemented Security Check for Standard

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.16 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user or attacker can craft a message to...

GHSA-3RMV-2PG5-XVQJ Spring Framework has Improperly Implemented Security Check for Standard

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.16 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user or attacker can craft a message to...

at.chrl:chrl-jms (=1.1.0), ca.islandora.alpaca:islandora-connector-broadcast (>=0.2.0 <=0.3.0) +1574 more potentially affected by CVE-2018-1275 via org.springframework:spring-messaging (>=4.0.1.RELEASE <=4.3.15.RELEASE)

org.springframework:spring-messaging MAVEN version =4.0.1.RELEASE, =0.2.0, =1.4, =1.4, =1.1.0, =1.1.1, =1.1.0, =1.0.0, =1.0.1 and more Source cves: CVE-2018-1275 Source advisory: OSV:GHSA-3RMV-2PG5-XVQJ...

ai.ylyue:yue-library-base (>=Finchley.SR2.SR1 <=Finchley.SR4.1), ai.ylyue:yue-library-base-crypto (>=Finchley.SR4 <=Finchley.SR4.1) +3026 more potentially affected by CVE-2018-1272 via org.springframework:spring-core (>=5.0.0.RELEASE <=5.0.4.RELEASE)

org.springframework:spring-core MAVEN version =5.0.0.RELEASE, =Finchley.SR2.SR1, =Finchley.SR4, =Finchley.SR2.SR1, =Finchley.SR2.SR1, =Finchley.SR4, =0.0.1, =0.0.2, =2.0.3.RELEASE, =2.0.3.RELEASE, =2.0.3.RELEASE, =2.0.3.RELEASE, =2.0.2.RELEASE, =2.0.2.RELEASE, =2.0.3.RELEASE, =2.0.7.RELEASE and...

ColumnPack:ColumnPack-plugin (=1.0.3), CustomHistory:CustomHistory (>=1.1 <=1.3) +20817 more potentially affected by CVE-2018-1272 via org.springframework:spring-core (>=1.2 <=4.3.14.RELEASE)

org.springframework:spring-core MAVEN version =1.2, =1.1, =1.3, =0.0.1, =0.1.6, =0.1.4-SB1X, =0.1.0, =4.2.1, =4.4.1, =0.1.0, =1.0, =5.0.9, =0.0.20, =0.0.34 and more Source cves: CVE-2018-1272 Source advisory: OSV:GHSA-4487-X383-QPPH...

GHSA-4487-X383-QPPH Possible privilege escalation in org.springframework:spring-core

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application server A receives input from a remote client, and then uses that input to make a...