HIGH | MARCH 20, 2023 | CVE-2023-20860
Description Using "**" as a pattern in Spring Security configuration with the mvcRequestMatcher creates a mismatch in pattern matching between Spring Security and Spring MVC, and the potential for a security bypass. Affected Spring Products and Versions Spring…
MEDIUM | MARCH 20, 2023 | CVE-2023-20861
Description In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition…
MEDIUM | NOVEMBER 03, 2022 | CVE-2022-31691
Description Spring Tools 4 for Eclipse version 4.16.0 and below as well as VSCode extensions such as Spring Boot Tools, Concourse CI Pipeline Editor, Bosh Editor and Cloudfoundry Manifest YML Support version 1.39.0 and below all use Snakeyaml library for YAML…
HIGH | OCTOBER 31, 2022 | CVE-2022-31692
Description Spring Security, versions 5.7 prior to 5.7.5 and 5.6 prior to 5.6.9 could be susceptible to authorization rules bypass via forward or include dispatcher types.Specifically, an application is vulnerable when all of the following are true:The…
HIGH | OCTOBER 31, 2022 | CVE-2022-31690
Description Spring Security, versions 5.7 prior to 5.7.5, and 5.6 prior to 5.6.9, and older unsupported versions could be susceptible to a privilege escalation under certain conditions. A malicious user or attacker can modify a request initiated by the Client…
LOW | OCTOBER 19, 2022 | CVE-2022-31684
Description Reactor Netty HTTP Server, in versions 1.0.11 - 1.0.23, may log request headers in some cases of invalid HTTP requests. The logged headers may reveal valid access tokens to those with access to server logs. This may affect only invalid HTTP…
MEDIUM | SEPTEMBER 19, 2022 | CVE-2022-31679
Description Applications that allow HTTP PATCH access to resources exposed by Spring Data REST in versions 3.6.0 - 3.6.5, 3.7.0 - 3.7.2, and older unsupported versions, if an attacker knows about the structure of the underlying domain model, they can craft…
HIGH | JUNE 20, 2022 | CVE-2022-22980
Description A Spring Data MongoDB application is vulnerable to SpEL Injection when using @Query or @Aggregation-annotated query methods with SpEL expressions that contain query parameter placeholders for value binding if the input is not sanitized.Specifically…
HIGH | JUNE 15, 2022 | CVE-2022-22979
Description In Spring Cloud Function versions 3.2.5 and older unsupported versions, it is possible for a user who directly interacts with framework provided lookup functionality to cause denial of service condition due to the caching issue in Function Catalog…
MEDIUM | MAY 17, 2022 | CVE-2022-22976
Description Affected Spring Products and Versions Mitigation Credit This issue was identified and responsibly reported by Eyal Kaspi. References https://docs.cupchino.shop/spring-security/site/docs/current/reference/html5/#authentication-password-storage https…
