CVE-2018-11040

Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP JSON with Padding through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser...

CVE-2018-11039

Spring Framework versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions allow web applications to change the HTTP request method to any HTTP method including TRACE using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS...

com.bluelock:camel-spring-amqp (>=1.5 <=1.6.3), com.catify.bpmn:bpmn-engine-dist-jpa-camel (=1.1) +448 more potentially affected by CVE-2014-0002 via org.apache.camel:camel-core (>=1.0.0 <=2.11.3)

org.apache.camel:camel-core MAVEN version =1.0.0, =1.5, =0.3.4, =0.4.0 - com.github.microon:microon-services-calendar =0.0 - com.github.rmannibucau:camel-loader =0.0.1 - com.github.rmannibucau:diagram-generator-maven-plugin =0.0.1 and more Source cves: CVE-2014-0002 Source advisory:...

org.apache.camel:camel-atmosphere-websocket (=2.16.0), org.apache.camel:camel-example-cxf-tomcat (=2.16.0) +8 more potentially affected by CVE-2015-5348 via org.apache.camel:camel-servlet (=2.16.0)

org.apache.camel:camel-servlet MAVEN version =2.16.0 is affected by a known vulnerability. The following packages have a transitive dependency on org.apache.camel:camel-servlet and may be impacted: - org.apache.camel:camel-atmosphere-websocket =2.16.0 - org.apache.camel:camel-example-cxf-tomcat...

cn.youweisoft:sparrow-permission (>=1.4.0 <=1.6.0), com.bucket4j:bucket4j-ignite (>=7.6.1 <=8.10.1) +267 more potentially affected by CVE-2018-8018 via org.apache.ignite:ignite-core (>=1.0.0-RC1 <=2.5.0)

org.apache.ignite:ignite-core MAVEN version =1.0.0-RC1, =1.4.0, =7.6.1, =8.11.0, =8.11.0, =8.0.0, =1.0.0, =3.0.0-beta1, =0.1.2, =1.5.1, =2.0, =0.0.1, =1.1.0 - com.github.itzmedinesh:micro-cache-grid =1.0.0 and more Source cves: CVE-2018-8018 Source advisory: OSV:GHSA-QCJV-WFCG-MMPR...

Spring AOP functionality (Struts) vulnerable to DoS attack

When using a Spring AOP functionality to secure Struts actions it is possible to perform a DoS attack. Solution is to upgrade to Apache Struts version 2.5.12 or 2.3.33...

GHSA-8MR5-H28G-36QX Spring AOP functionality (Struts) vulnerable to DoS attack

When using a Spring AOP functionality to secure Struts actions it is possible to perform a DoS attack. Solution is to upgrade to Apache Struts version 2.5.12 or 2.3.33...

ai.dev-tools:ai-devtools (>=0.1.12 <=0.1.20), ai.idylnlp:idylnlp-models-deeplearning (>=1.0.0 <=1.1.0) +4449 more potentially affected by CVE-2018-11040 via org.springframework:spring-core (>=5.0.0.RELEASE <=5.0.6.RELEASE)

org.springframework:spring-core MAVEN version =5.0.0.RELEASE, =0.1.12, =1.0.0, =Finchley.SR2.SR1, =Finchley.SR4, =Finchley.SR2.SR1, =Finchley.SR2.SR1, =Finchley.SR4, =0.0.1, =0.0.2, =2.0.3.RELEASE, =2.0.3.RELEASE, =2.0.3.RELEASE, =2.0.3.RELEASE, =2.0.9.RELEASE and more Source cves: CVE-2018-11040...

GHSA-F26X-PR96-VW86 Moderate severity vulnerability that affects org.springframework:spring-core

Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP JSON with Padding through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser...

ai.foremast.metrics:foremast-spring-4x-k8s-metrics (>=0.1.6 <=0.2.0), am.ik.blog:blog-domain (>=4.2.1 <=4.3.6) +5997 more potentially affected by CVE-2018-11040 via org.springframework:spring-core (>=4.3.0.RELEASE <=4.3.17.RELEASE)

org.springframework:spring-core MAVEN version =4.3.0.RELEASE, =0.1.6, =4.2.1, =4.4.1, =1.0.0.RELEASE, =1.0.0, =1.0.2, =1.6, =1.6, =1.6, =1.0.10, =0.6.0, =0.6.0, =0.2.13, =0.2.28 and more Source cves: CVE-2018-11040 Source advisory: OSV:GHSA-F26X-PR96-VW86...

ai.foremast.metrics:foremast-spring-4x-k8s-metrics (>=0.1.6 <=0.2.0), at.porscheinformatik.zanata:zanata-spring (>=1.0.0.RELEASE <=1.1.0.RELEASE) +2978 more potentially affected by CVE-2018-11039 via org.springframework:spring-web (>=4.3.0.RELEASE <=4.3.17.RELEASE)

org.springframework:spring-web MAVEN version =4.3.0.RELEASE, =0.1.6, =1.0.0.RELEASE, =1.6, =1.6, =1.0.10, =0.2.13, =0.2.13, =0.2.13, =0.7, =1.7.2, =1.1.3, =1.1.7 - ch.rasc:wampspring =1.1.2 - ch.rasc:wampspring-security =1.1.2 - ch.rasc:wampspring-session =1.1.2 and more Source cves: CVE-2018-110...

Spring Framework Cross Site Tracing (XST)

Spring Framework versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions allow web applications to change the HTTP request method to any HTTP method including TRACE using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS...

ai.ylyue:yue-library-base (>=Finchley.SR2.SR1 <=Finchley.SR4.1), ai.ylyue:yue-library-base-crypto (>=Finchley.SR4 <=Finchley.SR4.1) +2320 more potentially affected by CVE-2018-11039 via org.springframework:spring-web (>=5.0.0.RELEASE <=5.0.6.RELEASE)

org.springframework:spring-web MAVEN version =5.0.0.RELEASE, =Finchley.SR2.SR1, =Finchley.SR4, =Finchley.SR2.SR1, =Finchley.SR2.SR1, =Finchley.SR4, =0.0.1, =0.0.2, =2.0.3.RELEASE, =2.0.3.RELEASE, =2.0.2.RELEASE, =1.0.3.RELEASE, =1.3.0.RELEASE, =0.0.1, =0.0.2 - ca.uhn.hapi.fhir:hapi-fhir-cli-api...

GHSA-9GCM-F4X3-8JPW Spring Framework Cross Site Tracing (XST)

Spring Framework versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions allow web applications to change the HTTP request method to any HTTP method including TRACE using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS...

Spring Framework CVE-2018-15756 Denial-Of-Service Vulnerability

...

Exploit for Code Injection in Pivotal_Software Spring_Data_Commons

CVE-2018-1273 Spring Data Commons, versions prior to 1.13 to...

at.chrl:chrl-orm-spring-integration (=1.1.0), au.com.dius:pact-jvm-provider-spring_2.11 (>=3.4.0 <=3.5.18) +1406 more potentially affected by CVE-2016-9878 via org.springframework:spring-webmvc (>=4.2.0.RELEASE <=4.2.8.RELEASE)

org.springframework:spring-webmvc MAVEN version =4.2.0.RELEASE, =3.4.0, =3.5.4-rc.0, =1, =1.4, =1.4, =1.0.4, =0.0.10, =1.6.0, =0.0.21, =0.0.21, =0.0.21, =0.0.21, =0.0.22 and more Source cves: CVE-2016-9878 Source advisory: OSV:GHSA-2M8H-FGR8-2Q9W...

ai.foremast.metrics:foremast-spring-4x-k8s-metrics (>=0.1.6 <=0.2.0), at.researchstudio.sat:won-node (>=0.4 <=0.6) +3885 more potentially affected by CVE-2016-9878 via org.springframework:spring-webmvc (>=4.3.0.RELEASE <=4.3.4.RELEASE)

org.springframework:spring-webmvc MAVEN version =4.3.0.RELEASE, =0.1.6, =0.4, =0.4, =0.4, =0.4, =4.1.0, =4.0.0, =3.5.19, =3.5.19, =1, =1, =1, =1, =1, =0.1, =0.13.6 and more Source cves: CVE-2016-9878 Source advisory: OSV:GHSA-2M8H-FGR8-2Q9W...

GHSA-2M8H-FGR8-2Q9W Pivotal Spring Framework Paths provided to the ResourceServlet were not properly sanitized

An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks...

RPD:bmc-rpd (=1.1), aendter.jenkins.plugins:filesystem-list-parameter-plugin (>=0.0.1 <=0.0.6) +2512 more potentially affected by CVE-2016-9878 via org.springframework:spring-webmvc (>=1.2.1 <=3.2.17.RELEASE)

org.springframework:spring-webmvc MAVEN version =1.2.1, =0.0.1, =1.0, =0.0.20, =1.0, =0.0.1, =0.1.0, =1.0.0, =0.2, =3.0.1, =4.0.0 - cn.fastoo:fastoo-java-api =20171130 - cn.opencodes:alpha-common-utils =1.0.0 and more Source cves: CVE-2016-9878 Source advisory: OSV:GHSA-2M8H-FGR8-2Q9W...