Spring Batch Admin vulnerable to Cross Site Request Forgery

Spring Batch Admin does not contain Cross Site Request Forgery CSRF protection, which may allow an attacker to craft a malicious site that executes requests to Spring Batch Admin...

RCE in PATCH requests in Spring Data REST

Malicious PATCH requests submitted to servers using Spring Data REST backed HTTP resources can use specially crafted JSON data to run arbitrary Java code...

Remote code execution in spring-amqp

In affected versions of Spring AMQP, a org.springframework.amqp.core.Message may be unsafely deserialized when being converted into a string. A malicious payload could be crafted to exploit this and enable a remote code execution attack...

Data Binding Expression Vulnerability in Spring Web Flow

This CVE addresses a second path to exploiting the same vulnerability as the one described under CVE-2017-4971 . Applications that do not change the value of the MvcViewFactoryCreator useSpringBinding property which is disabled by default i.e. set to “false” can be vulnerable to malicious EL...

Data Binding Expression Vulnerability in Spring Web Flow

Applications that do not change the value of the MvcViewFactoryCreator useSpringBinding property which is disabled by default i.e. set to “false” can be vulnerable to malicious EL expressions in view states that process form submissions but do not have a sub-element to declare explicit data bindi...

Directory Traversal in the Spring Framework ResourceServlet

Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks...

Spring Data JPA Blind SQL Injection Vulnerability

Sort instances handed into user defined Spring Data repository query methods using manually declared JPQL queries are handed to the persistence provider as is and allow attackers to inject arbitrary JPQL into ORDER BY clauses which they might use to draw conclusions about non-exposed fields based...

Spring Security / MVC Path Matching Inconsistency

Both Spring Security and the Spring Framework rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Securit...

Remote Code Execution (RCE) in Spring Security OAuth

When processing authorization requests using the whitelabel views, the responsetype parameter value was executed as Spring SpEL which enabled a malicious user to trigger remote code execution via the crafting of the value for responsetype...

Remote Code Execution in Spring AMQP

The class org.springframework.core.serializer.DefaultDeserializer does not validate the deserialized object against a whitelist. By supplying a crafted serialized object like Chris Frohoff's Commons Collection gadget, remote code execution can be achieved...

Spring Social CSRF

When authorizing an application against an OAuth 2 API provider, Spring Social is vulnerable to a Cross-Site Request Forgery CSRF attack. The attack involves a malicious user beginning an OAuth 2 authorization flow using a fake account with an OAuth 2 API provider, but completing it by tricking t...

RFD Attack in Spring Framework

Under some situations, the Spring Framework is vulnerable to a Reflected File Download RFD attack. The attack involves a malicious user crafting a URL with a batch script extension that results in the response being downloaded rather than rendered and also includes some input reflected in the...

DoS Attack with XML Input

XML external entities were previously disabled with the publication of http://pivotal.io/security/cve-2013-6429 . If DTD is not entirely disabled, inline DTD declarations can be used to perform Denial of Service attacks known as XML bombs. Such declarations are both well-formed and valid accordin...

Insufficiently random session id in Java SockJS client

Session id generation in the Java SockJS client is not sufficiently secure and could allow a user to send messages to another user’s session. Note that this only affects users of the Java SockJS client, which generates its own session id. It does not affect browser clients even if they’re...

Directory Traversal in Spring Framework

Some URLs were not santized correctly before use allowing an attacker to obtain any file on the file system that was also accessible to process in which the Spring web application was running...

Access Control Bypass in Spring Security

When using Spring Security's CAS Proxy ticket authentication a malicious CAS Service could trick another CAS Service into authenticating a proxy ticket that was not associated. This is due to the fact that the proxy ticket authentication uses the information from the HttpServletRequest which is...

XML External Entity (XXE) injection when using Spring MVC

When processing user provided XML documents, the Spring Framework did not disable by default the resolution of URI references in a DTD declaration. This enabled an XXE attack...

Incomplete fix for CVE-2013-7315 / CVE-2013-6429 (XXE)

Spring MVC's Jaxb2RootElementHttpMessageConverter also processed user provided XML and neither disabled XML external entities nor provided an option to disable them. Jaxb2RootElementHttpMessageConverter has been modified to provide an option to control the processing of XML external entities and...

Blank password may bypass user authentication

The ActiveDirectoryLdapAuthenticator does not check the password length. If the directory allows anonymous binds then it may incorrectly authenticate a user who supplies an empty password...

XSS when using Spring MVC

When a programmer does not specify the action on the Spring form, Spring automatically populates the action field with the requested uri. An attacker can use this to inject malicious content into the form...

Possible XSS when using Spring MVC

The JavaScriptUtils.javaScriptEscape method did not escape all characters that are sensitive within either a JS single quoted string, JS double quoted string, or HTML script data context. In most cases this will result in an unexploitable parse error but in some cases it could result in an XSS...

Fix for XML External Entity (XXE) Injection (CVE-2013-7315) in Spring Framework was Incomplete

Spring MVC's SourceHttpMessageConverter also processed user provided XML and neither disabled XML external entities nor provided an option to disable them. SourceHttpMessageConverter has been modified to provide an option to control the processing of XML external entities and that processing is n...

XML External Entity (XXE) injection in Spring Framework

It was identified that Spring MVC processed user provided XML with JAXB in combination with a StAX XMLInputFactory without disabling external entity resolution. External entity resolution has been disabled in this case. It was subsequently discovered that this fix was incomplete CVE-2013-6429,...

XML eXternal Entity (XXE) injection in Spring Framework

The Spring OXM wrapper did not expose any property for disabling entity resolution when using the JAXB unmarshaller. There are four possible source implementations passed to the unmarshaller: DOMSource, StAXSource, SAXSource and StreamSource. For a DOMSource, the XML has already been parsed by us...