VYPR

Spring Web Services

by Spring Cloud

CVEs (6)

  • CVE-2026-40999HigJun 11, 2026
    risk 0.56cvss 8.6epss 0.00

    When WS-Addressing is used with non-anonymous ReplyTo or FaultTo addresses, Spring WS may initiate outbound connections through configured WebServiceMessageSender instances to destinations taken directly from request headers without verifying that those destinations are safe to…

  • CVE-2026-40994HigJun 11, 2026
    risk 0.53cvss 8.2epss 0.00

    Wss4jSecurityInterceptor initialized its BSP (WS-I Basic Security Profile) compliance flag so that inbound validation disabled WSS4J BSP enforcement on RequestData. Services that validate WS-Security on the network could therefore accept messages that violate BSP rules,…

  • CVE-2026-40995MedJun 11, 2026
    risk 0.35cvss 5.4epss 0.00

    X509AuthenticationProvider could issue a fully authenticated X509AuthenticationToken when a presented certificate mapped to UserDetails, without applying Spring Security's standard account lifecycle checks (disabled, locked, expired, or credentials-expired accounts). Affected…

  • CVE-2026-40996MedJun 11, 2026
    risk 0.31cvss 4.8epss 0.00

    Wss4jSecurityInterceptor defaulted allowRSA15KeyTransportAlgorithm to true, overriding Apache WSS4J's safer default for validation RequestData. Inbound WS-Security decryption could therefore accept RSA PKCS#1 v1.5 (rsa-1_5) encrypted key material unless operators explicitly…

  • CVE-2026-41000LowJun 11, 2026
    risk 0.24cvss 3.7epss 0.00

    Wss4jSecurityInterceptor did not consistently wire Apache WSS4J ReplayCache instances into RequestData for validation-time checks. As a result, protections against replay of UsernameToken nonces and creation timestamps, Timestamp elements, and certain SAML one-time-use semantics…

  • CVE-2019-3773Jan 18, 2019
    risk 0.00cvss epss 0.04

    Spring Web Services, versions 2.4.3, 3.0.4, and older unsupported versions of all three projects, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted sources.