In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
When processing user provided XML documents, the Spring Framework 4.0.0 to 4.0.4, 3.0.0 to 3.2.8, and possibly earlier unsupported versions did not disable by default the resolution of URI references in a DTD declaration. This enabled an XXE attack.
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.
Pivotal Spring Framework before 3.2.14 and 4.x before 4.1.7 do not properly process inline DTD declarations when DTD is not entirely disabled, which allows remote attackers to cause a denial of service (memory consumption and out-of-memory errors) via a crafted XML file.
The JavaScriptUtils.javaScriptEscape method in web/util/JavaScriptUtils.java in Spring MVC in Spring Framework before 3.2.2 does not properly escape certain characters, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a (1) line separator or (2) paragraph separator Unicode character or (3) left or (4) right angle bracket.
The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.
The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152. NOTE: this issue was SPLIT from CVE-2013-4152 due to different affected versions.
The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152 and CVE-2013-7315.
In Spring Framework versions 5.3.0 - 5.3.10, 5.2.0 - 5.2.17, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries.
Spring Framework Parent
Path to dependency file: /ksa-web-root/ksa-security-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar
Found in HEAD commit: b4849d22848515902fbd02cf19d698089bd7f3a4
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2020-5421
### Vulnerable Library - spring-web-3.1.1.RELEASE.jarSpring Framework Parent
Path to dependency file: /ksa-web-root/ksa-security-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar
Dependency Hierarchy: - :x: **spring-web-3.1.1.RELEASE.jar** (Vulnerable Library)
Found in HEAD commit: b4849d22848515902fbd02cf19d698089bd7f3a4
Found in base branch: master
### Reachability Analysis This vulnerability is potentially reachable ``` com.ksa.context.web.SpringServiceContextListener (Application) -> org.springframework.web.context.ContextLoader (Extension) -> org.springframework.web.context.support.WebApplicationContextUtils (Extension) -> org.springframework.web.context.support.WebApplicationContextUtils$WebRequestObjectFactory (Extension) -> org.springframework.web.context.request.ServletWebRequest (Extension) -> ❌ org.springframework.web.util.WebUtils (Vulnerable Component) ``` ### Vulnerability DetailsIn Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
Publish Date: 2020-09-19
URL: CVE-2020-5421
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: Low - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://tanzu.vmware.com/security/cve-2020-5421
Release Date: 2020-09-19
Fix Resolution: 4.3.29.RELEASE
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2014-0225
### Vulnerable Library - spring-web-3.1.1.RELEASE.jarSpring Framework Parent
Path to dependency file: /ksa-web-root/ksa-security-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar
Dependency Hierarchy: - :x: **spring-web-3.1.1.RELEASE.jar** (Vulnerable Library)
Found in HEAD commit: b4849d22848515902fbd02cf19d698089bd7f3a4
Found in base branch: master
### Reachability AnalysisThe vulnerable code is unreachable
### Vulnerability DetailsWhen processing user provided XML documents, the Spring Framework 4.0.0 to 4.0.4, 3.0.0 to 3.2.8, and possibly earlier unsupported versions did not disable by default the resolution of URI references in a DTD declaration. This enabled an XXE attack.
Publish Date: 2017-05-25
URL: CVE-2014-0225
### CVSS 3 Score Details (8.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0225
Release Date: 2017-05-25
Fix Resolution: org.springframework:spring-web:4.0.5.RELEASE,3.2.9.RELEASE,org.springframework:spring-oxm:4.0.5.RELEASE,3.2.9.RELEASE
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2018-1272
### Vulnerable Library - spring-web-3.1.1.RELEASE.jarSpring Framework Parent
Path to dependency file: /ksa-web-root/ksa-security-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar
Dependency Hierarchy: - :x: **spring-web-3.1.1.RELEASE.jar** (Vulnerable Library)
Found in HEAD commit: b4849d22848515902fbd02cf19d698089bd7f3a4
Found in base branch: master
### Reachability AnalysisThe vulnerable code is unreachable
### Vulnerability DetailsSpring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.
Publish Date: 2018-04-05
URL: CVE-2018-1272
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://tanzu.vmware.com/security/cve-2018-1272
Release Date: 2018-04-05
Fix Resolution: org.springframework:spring-core:4.3.15.RELEASE,5.0.5.RELEASE;org.springframework:spring-web:4.3.15.RELEASE,5.0.5.RELEASE
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2015-3192
### Vulnerable Library - spring-web-3.1.1.RELEASE.jarSpring Framework Parent
Path to dependency file: /ksa-web-root/ksa-security-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar
Dependency Hierarchy: - :x: **spring-web-3.1.1.RELEASE.jar** (Vulnerable Library)
Found in HEAD commit: b4849d22848515902fbd02cf19d698089bd7f3a4
Found in base branch: master
### Reachability AnalysisThe vulnerable code is unreachable
### Vulnerability DetailsPivotal Spring Framework before 3.2.14 and 4.x before 4.1.7 do not properly process inline DTD declarations when DTD is not entirely disabled, which allows remote attackers to cause a denial of service (memory consumption and out-of-memory errors) via a crafted XML file.
Publish Date: 2016-07-12
URL: CVE-2015-3192
### CVSS 3 Score Details (5.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3192
Release Date: 2016-07-12
Fix Resolution: 3.2.14.RELEASE
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2013-6430
### Vulnerable Library - spring-web-3.1.1.RELEASE.jarSpring Framework Parent
Path to dependency file: /ksa-web-root/ksa-security-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar
Dependency Hierarchy: - :x: **spring-web-3.1.1.RELEASE.jar** (Vulnerable Library)
Found in HEAD commit: b4849d22848515902fbd02cf19d698089bd7f3a4
Found in base branch: master
### Reachability AnalysisThe vulnerable code is unreachable
### Vulnerability DetailsThe JavaScriptUtils.javaScriptEscape method in web/util/JavaScriptUtils.java in Spring MVC in Spring Framework before 3.2.2 does not properly escape certain characters, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a (1) line separator or (2) paragraph separator Unicode character or (3) left or (4) right angle bracket.
Publish Date: 2020-01-10
URL: CVE-2013-6430
### CVSS 3 Score Details (5.4)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6430
Release Date: 2020-01-10
Fix Resolution: 3.1.5,3.2.2
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2014-0054
### Vulnerable Library - spring-web-3.1.1.RELEASE.jarSpring Framework Parent
Path to dependency file: /ksa-web-root/ksa-security-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar
Dependency Hierarchy: - :x: **spring-web-3.1.1.RELEASE.jar** (Vulnerable Library)
Found in HEAD commit: b4849d22848515902fbd02cf19d698089bd7f3a4
Found in base branch: master
### Reachability AnalysisThe vulnerable code is unreachable
### Vulnerability DetailsThe Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.
Publish Date: 2014-04-17
URL: CVE-2014-0054
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-0054
Release Date: 2014-04-17
Fix Resolution: org.springframework:spring-web:3.2.8.RELEASE,4.0.2.RELEASE,org.springframework:spring-oxm:4.0.2.RELEASE,3.2.8.RELEASE
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2013-7315
### Vulnerable Library - spring-web-3.1.1.RELEASE.jarSpring Framework Parent
Path to dependency file: /ksa-web-root/ksa-security-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar
Dependency Hierarchy: - :x: **spring-web-3.1.1.RELEASE.jar** (Vulnerable Library)
Found in HEAD commit: b4849d22848515902fbd02cf19d698089bd7f3a4
Found in base branch: master
### Reachability AnalysisThe vulnerable code is unreachable
### Vulnerability DetailsThe Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152. NOTE: this issue was SPLIT from CVE-2013-4152 due to different affected versions.
Publish Date: 2014-01-23
URL: CVE-2013-7315
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2013-7315
Release Date: 2014-01-23
Fix Resolution: org.springframework:spring-web:3.2.4.RELEASE,org.springframework:spring-web:4.0.0.M3
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2013-6429
### Vulnerable Library - spring-web-3.1.1.RELEASE.jarSpring Framework Parent
Path to dependency file: /ksa-web-root/ksa-security-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar
Dependency Hierarchy: - :x: **spring-web-3.1.1.RELEASE.jar** (Vulnerable Library)
Found in HEAD commit: b4849d22848515902fbd02cf19d698089bd7f3a4
Found in base branch: master
### Reachability AnalysisThe vulnerable code is unreachable
### Vulnerability DetailsThe SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152 and CVE-2013-7315.
Publish Date: 2014-01-26
URL: CVE-2013-6429
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2013-6429
Release Date: 2014-01-26
Fix Resolution: 3.2.5
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2021-22096
### Vulnerable Library - spring-web-3.1.1.RELEASE.jarSpring Framework Parent
Path to dependency file: /ksa-web-root/ksa-security-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar
Dependency Hierarchy: - :x: **spring-web-3.1.1.RELEASE.jar** (Vulnerable Library)
Found in HEAD commit: b4849d22848515902fbd02cf19d698089bd7f3a4
Found in base branch: master
### Reachability AnalysisThe vulnerable code is unreachable
### Vulnerability DetailsIn Spring Framework versions 5.3.0 - 5.3.10, 5.2.0 - 5.2.17, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries.
Publish Date: 2021-10-28
URL: CVE-2021-22096
### CVSS 3 Score Details (4.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://tanzu.vmware.com/security/cve-2021-22096
Release Date: 2021-10-28
Fix Resolution: 5.2.18.RELEASE
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.