Maven package
org.springframework/spring-core
pkg:maven/org.springframework/spring-core
Vulnerabilities (18)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-41249 | Hig | 7.5 | >= 5.3.0, <= 5.3.44 | — | Sep 16, 2025 | The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue if such annotations are used for authorization decisions. Your application m | |
| CVE-2024-22233 | — | >= 6.1.2, < 6.1.3 | 6.1.3 | Jan 22, 2024 | In Spring Framework versions 6.0.15 and 6.1.2, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. Specifically, an application is vulnerable when all of the following are true: * the application uses Sprin | ||
| CVE-2021-22060 | — | >= 5.3.0, < 5.3.14 | 5.3.14 | Jan 7, 2022 | In Spring Framework versions 5.3.0 - 5.3.13, 5.2.0 - 5.2.18, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries. This is a follow-up to CVE-2021-22096 that protects against additional types of inpu | ||
| CVE-2021-22096 | — | >= 5.3.0, < 5.3.11 | 5.3.11 | Oct 28, 2021 | In Spring Framework versions 5.3.0 - 5.3.10, 5.2.0 - 5.2.17, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries. | ||
| CVE-2018-15756 | — | >= 5.1.0.RELEASE, < 5.1.1.RELEASE | 5.1.1.RELEASE | Oct 18, 2018 | Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an an | ||
| CVE-2018-11040 | — | >= 5.0.0.RELEASE, < 5.0.7.RELEASE | 5.0.7.RELEASE | Jun 25, 2018 | Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView | ||
| CVE-2018-1258 | — | >= 5.0.5.RELEASE, < 5.0.6.RELEASE | 5.0.6.RELEASE | May 11, 2018 | Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted. | ||
| CVE-2018-1257 | — | >= 5.0.0, < 5.0.6 | 5.0.6 | May 11, 2018 | Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) c | ||
| CVE-2018-1272 | — | < 4.3.15 | 4.3.15 | Apr 6, 2018 | Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses th | ||
| CVE-2018-1271 | — | >= 5.0.0, < 5.0.5 | 5.0.5 | Apr 6, 2018 | Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed t | ||
| CVE-2018-1199 | — | >= 4.3.0, < 4.3.14 | 4.3.14 | Mar 16, 2018 | Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3) does not consider URL path parameters when processing security constraints. By adding a URL path parameter with specia | ||
| CVE-2016-5007 | Hig | 7.5 | < 4.3.1 | 4.3.1 | May 25, 2017 | Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with reg | |
| CVE-2015-5211 | Cri | 9.6 | >= 4.2.0, < 4.2.2 | 4.2.2 | May 25, 2017 | Under some situations, the Spring Framework 4.2.0 to 4.2.1, 4.0.0 to 4.1.7, 3.2.0 to 3.2.14 and older unsupported versions is vulnerable to a Reflected File Download (RFD) attack. The attack involves a malicious user crafting a URL with a batch script extension that results in th | |
| CVE-2015-0201 | — | >= 4.1.0, < 4.1.5 | 4.1.5 | Mar 10, 2015 | The Java SockJS client in Pivotal Spring Framework 4.1.x before 4.1.5 generates predictable session ids, which allows remote attackers to send messages to other sessions via unspecified vectors. | ||
| CVE-2014-3578 | — | >= 3.0.0, < 3.2.9 | 3.2.9 | Feb 19, 2015 | Directory traversal vulnerability in Pivotal Spring Framework 3.x before 3.2.9 and 4.0 before 4.0.5 allows remote attackers to read arbitrary files via a crafted URL. | ||
| CVE-2011-2730 | — | >= 3.0.0, < 3.0.6 | 3.0.6 | Dec 5, 2012 | VMware SpringSource Spring Framework before 2.5.6.SEC03, 2.5.7.SR023, and 3.x before 3.0.6, when a container supports Expression Language (EL), evaluates EL expressions in tags twice, which allows remote attackers to obtain sensitive information via a (1) name attribute in a (a) | ||
| CVE-2011-2894 | — | >= 3.0.0, < 3.0.6 | 3.0.6 | Oct 4, 2011 | Spring Framework 3.0.0 through 3.0.5, Spring Security 3.0.0 through 3.0.5 and 2.0.0 through 2.0.6, and possibly other versions deserialize objects from untrusted sources, which allows remote attackers to bypass intended security restrictions and execute untrusted code by (1) seri | ||
| CVE-2009-1190 | — | >= 1.1.0, < 3.0.0.RELEASE | 3.0.0.RELEASE | Apr 27, 2009 | Algorithmic complexity vulnerability in the java.util.regex.Pattern.compile method in Sun Java Development Kit (JDK) before 1.6, when used with spring.jar in SpringSource Spring Framework 1.1.0 through 2.5.6 and 3.0.0.M1 through 3.0.0.M2 and dm Server 1.0.0 through 1.0.2, allows |
- affected >= 5.3.0, <= 5.3.44
The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue if such annotations are used for authorization decisions. Your application m
- CVE-2024-22233Jan 22, 2024affected >= 6.1.2, < 6.1.3fixed 6.1.3
In Spring Framework versions 6.0.15 and 6.1.2, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. Specifically, an application is vulnerable when all of the following are true: * the application uses Sprin
- CVE-2021-22060Jan 7, 2022affected >= 5.3.0, < 5.3.14fixed 5.3.14
In Spring Framework versions 5.3.0 - 5.3.13, 5.2.0 - 5.2.18, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries. This is a follow-up to CVE-2021-22096 that protects against additional types of inpu
- CVE-2021-22096Oct 28, 2021affected >= 5.3.0, < 5.3.11fixed 5.3.11
In Spring Framework versions 5.3.0 - 5.3.10, 5.2.0 - 5.2.17, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries.
- CVE-2018-15756Oct 18, 2018affected >= 5.1.0.RELEASE, < 5.1.1.RELEASEfixed 5.1.1.RELEASE
Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an an
- CVE-2018-11040Jun 25, 2018affected >= 5.0.0.RELEASE, < 5.0.7.RELEASEfixed 5.0.7.RELEASE
Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView
- CVE-2018-1258May 11, 2018affected >= 5.0.5.RELEASE, < 5.0.6.RELEASEfixed 5.0.6.RELEASE
Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted.
- CVE-2018-1257May 11, 2018affected >= 5.0.0, < 5.0.6fixed 5.0.6
Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) c
- CVE-2018-1272Apr 6, 2018affected < 4.3.15fixed 4.3.15
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses th
- CVE-2018-1271Apr 6, 2018affected >= 5.0.0, < 5.0.5fixed 5.0.5
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed t
- CVE-2018-1199Mar 16, 2018affected >= 4.3.0, < 4.3.14fixed 4.3.14
Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3) does not consider URL path parameters when processing security constraints. By adding a URL path parameter with specia
- affected < 4.3.1fixed 4.3.1
Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with reg
- affected >= 4.2.0, < 4.2.2fixed 4.2.2
Under some situations, the Spring Framework 4.2.0 to 4.2.1, 4.0.0 to 4.1.7, 3.2.0 to 3.2.14 and older unsupported versions is vulnerable to a Reflected File Download (RFD) attack. The attack involves a malicious user crafting a URL with a batch script extension that results in th
- CVE-2015-0201Mar 10, 2015affected >= 4.1.0, < 4.1.5fixed 4.1.5
The Java SockJS client in Pivotal Spring Framework 4.1.x before 4.1.5 generates predictable session ids, which allows remote attackers to send messages to other sessions via unspecified vectors.
- CVE-2014-3578Feb 19, 2015affected >= 3.0.0, < 3.2.9fixed 3.2.9
Directory traversal vulnerability in Pivotal Spring Framework 3.x before 3.2.9 and 4.0 before 4.0.5 allows remote attackers to read arbitrary files via a crafted URL.
- CVE-2011-2730Dec 5, 2012affected >= 3.0.0, < 3.0.6fixed 3.0.6
VMware SpringSource Spring Framework before 2.5.6.SEC03, 2.5.7.SR023, and 3.x before 3.0.6, when a container supports Expression Language (EL), evaluates EL expressions in tags twice, which allows remote attackers to obtain sensitive information via a (1) name attribute in a (a)
- CVE-2011-2894Oct 4, 2011affected >= 3.0.0, < 3.0.6fixed 3.0.6
Spring Framework 3.0.0 through 3.0.5, Spring Security 3.0.0 through 3.0.5 and 2.0.0 through 2.0.6, and possibly other versions deserialize objects from untrusted sources, which allows remote attackers to bypass intended security restrictions and execute untrusted code by (1) seri
- CVE-2009-1190Apr 27, 2009affected >= 1.1.0, < 3.0.0.RELEASEfixed 3.0.0.RELEASE
Algorithmic complexity vulnerability in the java.util.regex.Pattern.compile method in Sun Java Development Kit (JDK) before 1.6, when used with spring.jar in SpringSource Spring Framework 1.1.0 through 2.5.6 and 3.0.0.M1 through 3.0.0.M2 and dm Server 1.0.0 through 1.0.2, allows