VYPR

Maven package

org.springframework/spring-context

pkg:maven/org.springframework/spring-context

Vulnerabilities (3)

  • CVE-2025-22233LowMay 16, 2025
    affected >= 6.2.0, < 6.2.7fixed 6.2.7

    CVE-2024-38820 ensured Locale-independent, lowercase conversion for both the configured disallowedFields patterns and for request parameter names. However, there are still cases where it is possible to bypass the disallowedFields checks. Affected Spring Products and Versions Sp

  • CVE-2024-38820Oct 18, 2024
    affected >= 6.1.0, < 6.1.14fixed 6.1.14

    The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase() has some Locale dependent exceptions that could potentially result in fields not protected as expected.

  • CVE-2022-22968Apr 14, 2022
    affected >= 5.3.0, < 5.3.19fixed 5.3.19

    In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first char