Maven package
org.springframework/spring-web
pkg:maven/org.springframework/spring-web
Vulnerabilities (12)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-41234 | Med | 6.5 | >= 6.2.0, < 6.2.8 | 6.2.8 | Jun 12, 2025 | Description In Spring Framework, versions 6.0.x as of 6.0.5, versions 6.1.x and 6.2.x, an application is vulnerable to a reflected file download (RFD) attack when it sets a “Content-Disposition” header with a non-ASCII charset, where the filename attribute is derived from user-s | |
| CVE-2024-38820 | — | >= 6.1.0, < 6.1.14 | 6.1.14 | Oct 18, 2024 | The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase() has some Locale dependent exceptions that could potentially result in fields not protected as expected. | ||
| CVE-2024-38809 | Med | 5.3 | < 5.3.38 | 5.3.38 | Sep 27, 2024 | Applications that parse ETags from "If-Match" or "If-None-Match" request headers are vulnerable to DoS attack. Users of affected versions should upgrade to the corresponding fixed version. Users of older, unsupported versions could enforce a size limit on "If-Match" and "If-Non | |
| CVE-2024-22262 | Hig | 8.1 | < 5.3.34 | 5.3.34 | Apr 16, 2024 | Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF a | |
| CVE-2024-22259 | — | >= 6.1.0, < 6.1.5 | 6.1.5 | Mar 16, 2024 | Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html a | ||
| CVE-2024-22243 | Hig | 8.1 | >= 6.1.0, < 6.1.4 | 6.1.4 | Feb 23, 2024 | Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF a | |
| CVE-2021-22118 | — | >= 5.2.0, < 5.2.15 | 5.2.15 | May 27, 2021 | In Spring Framework, versions 5.2.x prior to 5.2.15 and versions 5.3.x prior to 5.3.7, a WebFlux application is vulnerable to a privilege escalation: by (re)creating the temporary storage directory, a locally authenticated malicious user can read or modify files that have been up | ||
| CVE-2013-6430 | — | < 3.2.2.RELEASE | 3.2.2.RELEASE | Jan 10, 2020 | The JavaScriptUtils.javaScriptEscape method in web/util/JavaScriptUtils.java in Spring MVC in Spring Framework before 3.2.2 does not properly escape certain characters, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a (1) line separator or (2) par | ||
| CVE-2016-1000027 | — | < 6.0.0 | 6.0.0 | Jan 2, 2020 | Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NO | ||
| CVE-2018-11039 | — | >= 5.0.0, < 5.0.7 | 5.0.7 | Jun 25, 2018 | Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a p | ||
| CVE-2015-3192 | Med | 5.5 | < 3.2.14 | 3.2.14 | Jul 12, 2016 | Pivotal Spring Framework before 3.2.14 and 4.x before 4.1.7 do not properly process inline DTD declarations when DTD is not entirely disabled, which allows remote attackers to cause a denial of service (memory consumption and out-of-memory errors) via a crafted XML file. | |
| CVE-2013-6429 | — | < 3.2.5.RELEASE | 3.2.5.RELEASE | Jan 26, 2014 | The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, ak |
- affected >= 6.2.0, < 6.2.8fixed 6.2.8
Description In Spring Framework, versions 6.0.x as of 6.0.5, versions 6.1.x and 6.2.x, an application is vulnerable to a reflected file download (RFD) attack when it sets a “Content-Disposition” header with a non-ASCII charset, where the filename attribute is derived from user-s
- CVE-2024-38820Oct 18, 2024affected >= 6.1.0, < 6.1.14fixed 6.1.14
The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase() has some Locale dependent exceptions that could potentially result in fields not protected as expected.
- affected < 5.3.38fixed 5.3.38
Applications that parse ETags from "If-Match" or "If-None-Match" request headers are vulnerable to DoS attack. Users of affected versions should upgrade to the corresponding fixed version. Users of older, unsupported versions could enforce a size limit on "If-Match" and "If-Non
- affected < 5.3.34fixed 5.3.34
Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF a
- CVE-2024-22259Mar 16, 2024affected >= 6.1.0, < 6.1.5fixed 6.1.5
Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html a
- affected >= 6.1.0, < 6.1.4fixed 6.1.4
Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF a
- CVE-2021-22118May 27, 2021affected >= 5.2.0, < 5.2.15fixed 5.2.15
In Spring Framework, versions 5.2.x prior to 5.2.15 and versions 5.3.x prior to 5.3.7, a WebFlux application is vulnerable to a privilege escalation: by (re)creating the temporary storage directory, a locally authenticated malicious user can read or modify files that have been up
- CVE-2013-6430Jan 10, 2020affected < 3.2.2.RELEASEfixed 3.2.2.RELEASE
The JavaScriptUtils.javaScriptEscape method in web/util/JavaScriptUtils.java in Spring MVC in Spring Framework before 3.2.2 does not properly escape certain characters, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a (1) line separator or (2) par
- CVE-2016-1000027Jan 2, 2020affected < 6.0.0fixed 6.0.0
Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NO
- CVE-2018-11039Jun 25, 2018affected >= 5.0.0, < 5.0.7fixed 5.0.7
Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a p
- affected < 3.2.14fixed 3.2.14
Pivotal Spring Framework before 3.2.14 and 4.x before 4.1.7 do not properly process inline DTD declarations when DTD is not entirely disabled, which allows remote attackers to cause a denial of service (memory consumption and out-of-memory errors) via a crafted XML file.
- CVE-2013-6429Jan 26, 2014affected < 3.2.5.RELEASEfixed 3.2.5.RELEASE
The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, ak