VYPR

Spring Framework

by Gopivotal

Source repositories

CVEs (5)

  • CVE-2014-0054Apr 17, 2014
    risk 0.00cvss epss 0.91

    The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML,…

  • CVE-2013-7315Jan 23, 2014
    risk 0.00cvss epss 0.03

    The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via…

  • CVE-2013-4152Jan 23, 2014
    risk 0.00cvss epss 0.26

    The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external…

  • CVE-2011-2730Dec 5, 2012
    risk 0.00cvss epss 0.12

    VMware SpringSource Spring Framework before 2.5.6.SEC03, 2.5.7.SR023, and 3.x before 3.0.6, when a container supports Expression Language (EL), evaluates EL expressions in tags twice, which allows remote attackers to obtain sensitive information via a (1) name attribute in a (a)…

  • CVE-2010-1622Jun 21, 2010
    risk 0.00cvss epss 0.52

    SpringSource Spring Framework 2.5.x before 2.5.6.SEC02, 2.5.7 before 2.5.7.SR01, and 3.0.x before 3.0.3 allows remote attackers to execute arbitrary code via an HTTP request containing class.classLoader.URLs[0]=jar: followed by a URL of a crafted .jar file.