Maven package

org.springframework/spring

pkg:maven/org.springframework/spring

Vulnerabilities (3)

CVE	CVSS	Affected versions	Fixed in	Published	Description
CVE-2023-20860	—	>= 6.0.0, < 6.0.7	6.0.7	Mar 27, 2023	Spring Framework running version 6.0.0 - 6.0.6 or 5.3.0 - 5.3.25 using "**" as a pattern in Spring Security configuration with the mvcRequestMatcher creates a mismatch in pattern matching between Spring Security and Spring MVC, and the potential for a security bypass.
CVE-2021-22096	—	>= 5.2.0, < 5.2.18	5.2.18	Oct 28, 2021	In Spring Framework versions 5.3.0 - 5.3.10, 5.2.0 - 5.2.17, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries.
CVE-2010-1622	—	>= 2.5.0, < 2.5.7	2.5.7	Jun 21, 2010	SpringSource Spring Framework 2.5.x before 2.5.6.SEC02, 2.5.7 before 2.5.7.SR01, and 3.0.x before 3.0.3 allows remote attackers to execute arbitrary code via an HTTP request containing class.classLoader.URLs[0]=jar: followed by a URL of a crafted .jar file.

CVE-2023-20860Mar 27, 2023
affected >= 6.0.0, < 6.0.7fixed 6.0.7
Spring Framework running version 6.0.0 - 6.0.6 or 5.3.0 - 5.3.25 using "**" as a pattern in Spring Security configuration with the mvcRequestMatcher creates a mismatch in pattern matching between Spring Security and Spring MVC, and the potential for a security bypass.
CVE-2021-22096Oct 28, 2021
affected >= 5.2.0, < 5.2.18fixed 5.2.18
In Spring Framework versions 5.3.0 - 5.3.10, 5.2.0 - 5.2.17, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries.
CVE-2010-1622Jun 21, 2010
affected >= 2.5.0, < 2.5.7fixed 2.5.7
SpringSource Spring Framework 2.5.x before 2.5.6.SEC02, 2.5.7 before 2.5.7.SR01, and 3.0.x before 3.0.3 allows remote attackers to execute arbitrary code via an HTTP request containing class.classLoader.URLs[0]=jar: followed by a URL of a crafted .jar file.