Lucene search
K

1888 matches found

Github Security Blog
Github Security Blog
added 2018/10/17 8:29 p.m.37 views

Files or Directories Accessible to External Parties in org.springframework:spring-core

Under some situations, the Spring Framework 4.2.0 to 4.2.1, 4.0.0 to 4.1.7, 3.2.0 to 3.2.14 and older unsupported versions is vulnerable to a Reflected File Download RFD attack. The attack involves a malicious user crafting a URL with a batch script extension that results in the response being...

9.6CVSS7.6AI score0.0257EPSS
Exploits1References8Affected Software1
Github Security Blog
Github Security Blog
added 2018/10/17 8:29 p.m.27 views

Pivotal Spring Framework DoS Attack with XML Input

Pivotal Spring Framework before 3.2.14 and 4.x before 4.1.7 do not properly process inline DTD declarations when DTD is not entirely disabled, which allows remote attackers to cause a denial of service memory consumption and out-of-memory errors via a crafted XML file...

5.5CVSS5.6AI score0.02555EPSS
Exploits0References24Affected Software1
OSV
OSV
added 2018/10/17 8:29 p.m.42 views

GHSA-6V7W-535J-RQ5M Pivotal Spring Framework DoS Attack with XML Input

Pivotal Spring Framework before 3.2.14 and 4.x before 4.1.7 do not properly process inline DTD declarations when DTD is not entirely disabled, which allows remote attackers to cause a denial of service memory consumption and out-of-memory errors via a crafted XML file...

5.5CVSS5.3AI score0.02555EPSS
Exploits0References25
OSV
OSV
added 2018/10/17 8:28 p.m.18 views

GHSA-45VG-2V73-VM62 Moderate severity vulnerability that affects org.springframework:spring-core

The Java SockJS client in Pivotal Spring Framework 4.1.x before 4.1.5 generates predictable session ids, which allows remote attackers to send messages to other sessions via unspecified vectors...

5CVSS6.5AI score0.019EPSS
Exploits0References6
Github Security Blog
Github Security Blog
added 2018/10/17 8:28 p.m.29 views

Moderate severity vulnerability that affects org.springframework:spring-core

The Java SockJS client in Pivotal Spring Framework 4.1.x before 4.1.5 generates predictable session ids, which allows remote attackers to send messages to other sessions via unspecified vectors...

5CVSS6.4AI score0.019EPSS
Exploits0References5Affected Software1
OSV
OSV
added 2018/10/17 8:28 p.m.56 views

GHSA-3RMV-2PG5-XVQJ Spring Framework has Improperly Implemented Security Check for Standard

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.16 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user or attacker can craft a message to...

9.8CVSS9.4AI score0.57632EPSS
Exploits0References18
Github Security Blog
Github Security Blog
added 2018/10/17 8:28 p.m.53 views

Spring Framework has Improperly Implemented Security Check for Standard

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.16 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user or attacker can craft a message to...

9.8CVSS9.4AI score0.77245EPSS
Exploits5References18Affected Software1
OSV
OSV
added 2018/10/17 8:27 p.m.83 views

GHSA-4487-X383-QPPH Possible privilege escalation in org.springframework:spring-core

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application server A receives input from a remote client, and then uses that input to make a...

7.5CVSS8.3AI score0.02831EPSS
Exploits0References14
Github Security Blog
Github Security Blog
added 2018/10/17 8:27 p.m.75 views

Possible privilege escalation in org.springframework:spring-core

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application server A receives input from a remote client, and then uses that input to make a...

7.5CVSS3.3AI score0.02831EPSS
Exploits0References14Affected Software1
Github Security Blog
Github Security Blog
added 2018/10/17 8:7 p.m.49 views

Path Traversal in org.springframework:spring-core

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources e.g. CSS, JS, images. When static resources are served from a file system on Windows as opposed to the classpath, or...

5.9CVSS3.5AI score0.35681EPSS
Exploits1References21Affected Software1
OSV
OSV
added 2018/10/17 8:7 p.m.78 views

GHSA-G8HW-794C-4J9G Path Traversal in org.springframework:spring-core

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources e.g. CSS, JS, images. When static resources are served from a file system on Windows as opposed to the classpath, or...

5.9CVSS7.3AI score0.35681EPSS
Exploits1References21
OSV
OSV
added 2018/10/17 8:5 p.m.290 views

GHSA-P5HG-3XM3-GCJG Spring Framework allows applications to expose STOMP over WebSocket endpoints

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.16 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user or attacker can craft a message to...

9.8CVSS9.6AI score0.77245EPSS
Exploits5References20
Github Security Blog
Github Security Blog
added 2018/10/17 8:5 p.m.62 views

Spring Framework allows applications to expose STOMP over WebSocket endpoints

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.16 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user or attacker can craft a message to...

9.8CVSS9.6AI score0.77245EPSS
Exploits5References20Affected Software1
Github Security Blog
Github Security Blog
added 2018/10/17 8:5 p.m.71 views

Spring Framework when used in combination with any versions of Spring Security contains an authorization bypass

Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted...

8.8CVSS3.6AI score0.02427EPSS
Exploits0References19Affected Software1
OSV
OSV
added 2018/10/17 8:5 p.m.31 views

GHSA-CXRJ-66C5-9FMH Spring Framework when used in combination with any versions of Spring Security contains an authorization bypass

Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted...

8.8CVSS9.1AI score0.02427EPSS
Exploits0References20
OSV
OSV
added 2018/10/17 8:2 p.m.29 views

GHSA-RCPF-VJ53-7H2M Denial of Service in org.springframework:spring-core

Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user or attacker can craft a message ...

6.5CVSS6.6AI score0.03279EPSS
Exploits0References16
Github Security Blog
Github Security Blog
added 2018/10/17 8:2 p.m.63 views

Denial of Service in org.springframework:spring-core

Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user or attacker can craft a message ...

6.5CVSS5.4AI score0.03279EPSS
Exploits0References15Affected Software1
OSV
OSV
added 2018/10/17 8:1 p.m.40 views

GHSA-V596-FWHQ-8X48 Improper Input Validation in org.springframework.security:spring-security-core, org.springframework.security:spring-security-core , and org.springframework:spring-core

Spring Security Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3 does not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an...

5.3CVSS5.3AI score0.02857EPSS
Exploits0References14
RedHat Linux
RedHat Linux
added 2018/10/17 7:28 p.m.4 views

spring-framework: Directory traversal vulnerability with static resources on Windows filesystems

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources e.g. CSS, JS, images. When static resources are served from a file system on Windows as opposed to the classpath, or...

5.9CVSS7.4AI score0.35681EPSS
Exploits1References5
RedHat Linux
RedHat Linux
added 2018/10/17 7:28 p.m.2 views

spring-framework: Address partial fix for CVE-2018-1270

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.16 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user or attacker can craft a message to...

9.8CVSS8AI score0.77245EPSS
Exploits5References4
Rows per page
Query Builder