Security Advisories

CVE-2018-15756: DoS Attack via Range Requests

LOW | OCTOBER 16, 2018 | CVE-2018-15756

Description Affected Spring Products and Versions Mitigation Credit This issue was identified and responsibly reported by Nicholas Starke from Aruba Threat Labs. History 2018-10-16: Initial vulnerability report published.

CVE-2018-15758: Privilege Escalation in spring-security-oauth2

CRITICAL | OCTOBER 16, 2018 | CVE-2018-15758

Description Affected Spring Products and Versions Mitigation Credit This issue was identified and responsibly reported by Alvaro Muñoz (@pwntester) from Micro Focus. References Spring Security OAuth Read more

CVE-2018-11087: RabbitMQ (Spring-AMQP) Host name verification

CRITICAL | SEPTEMBER 11, 2018 | CVE-2018-11087

Description Affected Spring Products and Versions Mitigation Credit This issue was identified and responsibly reported by Peter Stöckli of Alphabot Security, Switzerland. History 2018-09-11: Initial vulnerability report published.

CVE-2018-11040: JSONP enabled by default in MappingJackson2JsonView

MEDIUM | JUNE 14, 2018 | CVE-2018-11040

Description Affected Spring Products and Versions Mitigation Credit This issue was identified and reported by Meyyalagan Chandrasekaran. References “Deprecate JSONP support and update…

CVE-2018-11039: Cross Site Tracing (XST) with Spring Framework

MEDIUM | JUNE 14, 2018 | CVE-2018-11039

Description Affected Spring Products and Versions Mitigation Credit This issue was identified and reported by Mariusz Łuciów, Ocado Technology. History 2018-06-14: Initial vulnerability report published.

CVE-2018-1263: Unsafe Unzip with spring-integration-zip

CRITICAL | MAY 11, 2018 | CVE-2018-1263

Description Affected Spring Products and Versions Mitigation Credit This issue was identified and responsibly reported by the Snyk Security Research Team and Abago Forgans. History 2018-05-11: Initial vulnerability report published

CVE-2018-1257: ReDoS Attack with spring-messaging

HIGH | MAY 09, 2018 | CVE-2018-1257

Description Affected Spring Products and Versions Mitigation Credit This issue was identified and responsibly reported by Muneaki Nishimura (nishimunea) of Recruit Technologies Co., Ltd. References Example

CVE-2018-1260: Remote Code Execution with spring-security-oauth2

CRITICAL | MAY 09, 2018 | CVE-2018-1260

Description Affected Spring Products and Versions Mitigation Credit This issue was identified and responsibly reported by Philippe Arteau from GoSecure. References Spring Security OAuth