5 matches found
CVE-2010-1622
CVE-2010-1622 affects Spring Framework 2.5.x up to 2.5.6.SEC02 and 2.5.7 up to 2.5.7.SR01, and 3.0.x up to 3.0.3. The issue arises from binding request data to Java beans, which allows an attacker to overwrite nested properties of the ClassLoader (notably via class.classLoader.URLs[0]), enabling ...
CVE-2013-4152
CVE-2013-4152 affects Spring Framework: the SourceHttpMessageConverter in Spring MVC with JAXB marshaller does not disable external entity resolution, enabling XXE to read files, cause DoS, and CSRF via XXE in DOMSource/StAXSource/SAXSource/StreamSource. Affected: Spring Framework pre-3.2.4 and 4...
CVE-2011-2730
CVE-2011-2730 concerns VMware SpringSource Spring Framework (versions 2.5.6.SEC03, 2.5.7.SR023, and 3.x prior to 3.0.6) where EL-enabled containers evaluate EL expressions in several Spring tags twice, enabling an attacker to obtain sensitive information from attributes such as name, path, argume...
CVE-2014-0054
CVE-2014-0054 is a XXE in Spring Framework’s Jaxb2RootElementHttpMessageConverter used by Spring MVC. Affected: Spring Framework before 3.2.8 and before 4.0.2 (specifically 4.0.0–4.0.2). Root cause: external entity resolution not disabled, allowing remote attackers to read arbitrary files, cause ...
CVE-2013-7315
CVE-2013-7315 affects Spring Framework’s Spring MVC: the SourceHttpMessageConverter (and related XML processing) fails to disable external entity resolution in the StAX XMLInputFactory for certain versions (Spring Framework before 3.2.4 and 4.0.0.M1–4.0.0.M2). This XXE condition allows context-de...