Security Advisories

CVE-2018-1261: Unsafe Unzip with spring-integration-zip

CRITICAL | MAY 09, 2018 | CVE-2018-1261

Description Affected Spring Products and Versions Mitigation Credit This issue was identified and responsibly reported by the Snyk Security Research Team. History 2018-05-09: Initial vulnerability report published

CVE-2018-1256: Issuer validation regression in Spring Cloud SSO Connector

HIGH | APRIL 30, 2018 | CVE-2018-1256

Description Affected Spring Products and Versions Mitigation Credit This vulnerability was responsibly reported by the Pivotal SSO Service team. History 2018-04-30: Initial vulnerability report published

CVE-2018-1273: RCE with Spring Data Commons

CRITICAL | APRIL 10, 2018 | CVE-2018-1273

Description Affected Spring Products and Versions Mitigation Credit This issue was identified and responsibly reported by Philippe Arteau, GoSecure Inc. References https://jira.cupchino.shop/browse/DATACMNS-1282 https://github.com/spring-projects/spring-data…

CVE-2018-1274: Denial of Service with Spring Data

CRITICAL | APRIL 10, 2018 | CVE-2018-1274

Description Affected Spring Products and Versions Mitigation Credit This issue was identified and responsibly reported by Yevhenii Hrushka (Yevgeniy Grushka), Fortify Webinspect. References https://jira.cupchino.shop/browse/DATACMNS-1285 https://github.com/spring…

CVE-2018-1275: Address partial fix for CVE-2018-1270

CRITICAL | APRIL 09, 2018 | CVE-2018-1275

Description Affected Spring Products and Versions Mitigation Credit This original issue CVE-2018-1270 was identified and responsibly reported by Alvaro Muñoz (@pwntester), Micro Focus Fortify. The subsequent CVE-2018-1275 partial fix was identified and…

CVE-2018-1270: Remote Code Execution with spring-messaging

CRITICAL | APRIL 05, 2018 | CVE-2018-1270

Description Affected Spring Products and Versions Mitigation Credit This issue was identified and responsibly reported by Alvaro Muñoz (@pwntester), Micro Focus Fortify. References Example

CVE-2018-1272: Multipart Content Pollution with Spring Framework

LOW | APRIL 05, 2018 | CVE-2018-1272

Description Affected Spring Products and Versions Mitigation Credit This issue was identified and responsibly reported by Philippe Arteau from GoSecure. History 2018-04-05: Initial vulnerability report published

CVE-2018-1229: Stored XSS in file upload of Spring Batch Admin

LOW | MARCH 16, 2018 | CVE-2018-1229

Description Affected Spring Products and Versions Mitigation Credit This vulnerability was responsibly reported by Wen Bin Kong. References https://docs.cupchino.shop/spring-batch-admin https://github.com/spring-projects/spring-batch-admin/blob/master/MIGRATION.md…

CVE-2018-1230: Spring Batch Admin vulnerable to Cross Site Request Forgery

MEDIUM | MARCH 16, 2018 | CVE-2018-1230

Description Affected Spring Products and Versions Mitigation Credit This vulnerability was responsibly reported by Wen Bin Kong. References https://docs.cupchino.shop/spring-batch-admin https://github.com/spring-projects/spring-batch-admin/blob/master/MIGRATION.md…

Spring Security Advisories

CVE-2018-1261: Unsafe Unzip with spring-integration-zip

CVE-2018-1256: Issuer validation regression in Spring Cloud SSO Connector

CVE-2018-1273: RCE with Spring Data Commons

CVE-2018-1274: Denial of Service with Spring Data

CVE-2018-1275: Address partial fix for CVE-2018-1270

CVE-2018-1270: Remote Code Execution with spring-messaging

CVE-2018-1272: Multipart Content Pollution with Spring Framework

CVE-2018-1229: Stored XSS in file upload of Spring Batch Admin

CVE-2018-1230: Spring Batch Admin vulnerable to Cross Site Request Forgery

Reporting a vulnerability

Get ahead

Get support

Upcoming events