MEDIUM | MAY 07, 2020 | CVE-2020-5407
Description Spring Security versions 5.2.x prior to 5.2.4 and 5.3.x prior to 5.3.2 contain a signature wrapping vulnerability during SAML response validation. When using the spring-security-saml2-service-provider component, a malicious user can carefully…
MEDIUM | MAY 07, 2020 | CVE-2020-5408
Description Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor…
MEDIUM | FEBRUARY 27, 2020 | CVE-2020-5403
Description Reactor Netty HttpServer, versions 0.9.3 and 0.9.4, is exposed to a URISyntaxException that causes the connection to be closed prematurely instead of producing a 400 response. Affected Spring Products and Versions Mitigation Credit This issue was…
MEDIUM | FEBRUARY 27, 2020 | CVE-2020-5404
Description Reactor Netty HttpClient, versions 0.9.x prior to 0.9.5, and versions 0.8.x prior to 0.8.16, may be used incorrectly, leading to a credentials leak during a redirect to a different domain. In order for this to happen, the HttpClient must have been…
HIGH | FEBRUARY 26, 2020 | CVE-2020-5405
Description Spring Cloud Config, versions 2.2.x prior to 2.2.2, versions 2.1.x prior to 2.1.7, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker…
MEDIUM | JANUARY 16, 2020 | CVE-2020-5397
Description Spring Framework, versions 5.2.x prior to 5.2.3 are vulnerable to CSRF attacks through CORS preflight
requests that target Spring MVC (spring-webmvc module) or Spring WebFlux (spring-webflux module) endpoints.Only non-authenticated endpoints are…
HIGH | JANUARY 16, 2020 | CVE-2020-5398
Description Affected Spring Products and Versions Mitigation Credit This issue was identified and responsibly reported by Roman Shalymov from EPAM. References https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/reflected-file-download-a-new-web…
HIGH | OCTOBER 28, 2019 | CVE-2019-16869
Description Reactor Netty, versions 0.8.x prior to 0.8.13 and 0.9.x prior to 0.9.1, depends on vulnerable versions of netty (versions prior to 4.1.42), which incorrectly handles whitespace before a colon in headers, leading to HTTP request smuggling attacks…
MEDIUM | OCTOBER 11, 2019 | CVE-2019-11284
Description Pivotal Reactor Netty, versions prior to 0.8.11, passes headers through redirects, including authorization ones. A remote unauthenticated malicious user may gain access to credentials for a different server than they have access to. References…
LOW | JUNE 19, 2019 | CVE-2019-11272
Description Affected Spring Products and Versions Mitigation Credit This issue was identified and responsibly reported by Tim Büthe and Daniel Neagaru from mytaxi. History 2019-06-19: Initial vulnerability report published
