*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
Mend Note: Converted from WS-2022-0107, on 2022-11-07.
VMware SpringSource Spring Framework before 2.5.6.SEC03, 2.5.7.SR023, and 3.x before 3.0.6, when a container supports Expression Language (EL), evaluates EL expressions in tags twice, which allows remote attackers to obtain sensitive information via a (1) name attribute in a (a) spring:hasBindErrors tag; (2) path attribute in a (b) spring:bind or (c) spring:nestedpath tag; (3) arguments, (4) code, (5) text, (6) var, (7) scope, or (8) message attribute in a (d) spring:message or (e) spring:theme tag; or (9) var, (10) scope, or (11) value attribute in a (f) spring:transform tag, aka "Expression Language Injection."
SpringSource Spring Framework 2.5.x before 2.5.6.SEC02, 2.5.7 before 2.5.7.SR01, and 3.0.x before 3.0.3 allows remote attackers to execute arbitrary code via an HTTP request containing class.classLoader.URLs[0]=jar: followed by a URL of a crafted .jar file.
In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
The JavaScriptUtils.javaScriptEscape method in web/util/JavaScriptUtils.java in Spring MVC in Spring Framework before 3.2.2 does not properly escape certain characters, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a (1) line separator or (2) paragraph separator Unicode character or (3) left or (4) right angle bracket.
Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3) does not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. In this particular attack, different character encodings used in path parameters allows secured Spring MVC static resource URLs to be bypassed.
Directory traversal vulnerability in Pivotal Spring Framework 3.x before 3.2.9 and 4.0 before 4.0.5 allows remote attackers to read arbitrary files via a crafted URL.
The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.
The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152 and CVE-2013-7315.
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2021-22096
### Vulnerable Libraries - spring-web-2.5.6.SEC01.jar, spring-core-2.5.6.SEC01.jar
In Spring Framework versions 5.3.0 - 5.3.10, 5.2.0 - 5.2.17, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries.
Spring Framework: Web
Library home page: http://www.springframework.org
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/2.5.6.SEC01/spring-web-2.5.6.SEC01.jar
Found in HEAD commit: ed6b351915ad26feb8d87ab03d3c5c4b27d706ca
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2022-22965
### Vulnerable Library - spring-beans-2.5.6.SEC01.jarSpring Framework: Beans
Library home page: http://www.springframework.org
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-beans/2.5.6.SEC01/spring-beans-2.5.6.SEC01.jar
Dependency Hierarchy: - spring-web-2.5.6.SEC01.jar (Root Library) - :x: **spring-beans-2.5.6.SEC01.jar** (Vulnerable Library)
Found in HEAD commit: ed6b351915ad26feb8d87ab03d3c5c4b27d706ca
Found in base branch: main
### Vulnerability DetailsA Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it. Mend Note: Converted from WS-2022-0107, on 2022-11-07.
Publish Date: 2022-04-01
URL: CVE-2022-22965
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
Release Date: 2022-04-01
Fix Resolution (org.springframework:spring-beans): 5.2.20.RELEASE
Direct dependency fix Resolution (org.springframework:spring-web): 3.0.6.RELEASE
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2011-2730
### Vulnerable Library - spring-web-2.5.6.SEC01.jarSpring Framework: Web
Library home page: http://www.springframework.org
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/2.5.6.SEC01/spring-web-2.5.6.SEC01.jar
Dependency Hierarchy: - :x: **spring-web-2.5.6.SEC01.jar** (Vulnerable Library)
Found in HEAD commit: ed6b351915ad26feb8d87ab03d3c5c4b27d706ca
Found in base branch: main
### Vulnerability DetailsVMware SpringSource Spring Framework before 2.5.6.SEC03, 2.5.7.SR023, and 3.x before 3.0.6, when a container supports Expression Language (EL), evaluates EL expressions in tags twice, which allows remote attackers to obtain sensitive information via a (1) name attribute in a (a) spring:hasBindErrors tag; (2) path attribute in a (b) spring:bind or (c) spring:nestedpath tag; (3) arguments, (4) code, (5) text, (6) var, (7) scope, or (8) message attribute in a (d) spring:message or (e) spring:theme tag; or (9) var, (10) scope, or (11) value attribute in a (f) spring:transform tag, aka "Expression Language Injection."
Publish Date: 2012-12-05
URL: CVE-2011-2730
### CVSS 3 Score Details (7.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2011-2730
Release Date: 2012-12-05
Fix Resolution: 3.0.6
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2010-1622
### Vulnerable Library - spring-beans-2.5.6.SEC01.jarSpring Framework: Beans
Library home page: http://www.springframework.org
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-beans/2.5.6.SEC01/spring-beans-2.5.6.SEC01.jar
Dependency Hierarchy: - spring-web-2.5.6.SEC01.jar (Root Library) - :x: **spring-beans-2.5.6.SEC01.jar** (Vulnerable Library)
Found in HEAD commit: ed6b351915ad26feb8d87ab03d3c5c4b27d706ca
Found in base branch: main
### Vulnerability DetailsSpringSource Spring Framework 2.5.x before 2.5.6.SEC02, 2.5.7 before 2.5.7.SR01, and 3.0.x before 3.0.3 allows remote attackers to execute arbitrary code via an HTTP request containing class.classLoader.URLs[0]=jar: followed by a URL of a crafted .jar file.
Publish Date: 2010-06-21
URL: CVE-2010-1622
### CVSS 3 Score Details (7.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1622
Release Date: 2010-06-21
Fix Resolution: 3.0.3.RELEASE,2.5.6.SEC02
CVE-2020-5421
### Vulnerable Library - spring-web-2.5.6.SEC01.jarSpring Framework: Web
Library home page: http://www.springframework.org
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/2.5.6.SEC01/spring-web-2.5.6.SEC01.jar
Dependency Hierarchy: - :x: **spring-web-2.5.6.SEC01.jar** (Vulnerable Library)
Found in HEAD commit: ed6b351915ad26feb8d87ab03d3c5c4b27d706ca
Found in base branch: main
### Vulnerability DetailsIn Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
Publish Date: 2020-09-17
URL: CVE-2020-5421
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: Low - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://tanzu.vmware.com/security/cve-2020-5421
Release Date: 2020-09-19
Fix Resolution: 4.3.29.RELEASE
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2013-6430
### Vulnerable Library - spring-web-2.5.6.SEC01.jarSpring Framework: Web
Library home page: http://www.springframework.org
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/2.5.6.SEC01/spring-web-2.5.6.SEC01.jar
Dependency Hierarchy: - :x: **spring-web-2.5.6.SEC01.jar** (Vulnerable Library)
Found in HEAD commit: ed6b351915ad26feb8d87ab03d3c5c4b27d706ca
Found in base branch: main
### Vulnerability DetailsThe JavaScriptUtils.javaScriptEscape method in web/util/JavaScriptUtils.java in Spring MVC in Spring Framework before 3.2.2 does not properly escape certain characters, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a (1) line separator or (2) paragraph separator Unicode character or (3) left or (4) right angle bracket.
Publish Date: 2020-01-10
URL: CVE-2013-6430
### CVSS 3 Score Details (5.4)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6430
Release Date: 2020-01-10
Fix Resolution: 3.1.5,3.2.2
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2018-1199
### Vulnerable Library - spring-core-2.5.6.SEC01.jarSpring Framework: Core
Library home page: http://www.springframework.org
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-core/2.5.6.SEC01/spring-core-2.5.6.SEC01.jar
Dependency Hierarchy: - spring-web-2.5.6.SEC01.jar (Root Library) - :x: **spring-core-2.5.6.SEC01.jar** (Vulnerable Library)
Found in HEAD commit: ed6b351915ad26feb8d87ab03d3c5c4b27d706ca
Found in base branch: main
### Vulnerability DetailsSpring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3) does not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. In this particular attack, different character encodings used in path parameters allows secured Spring MVC static resource URLs to be bypassed.
Publish Date: 2018-01-29
URL: CVE-2018-1199
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1199
Release Date: 2018-01-29
Fix Resolution (org.springframework:spring-core): 4.3.14.RELEASE
Direct dependency fix Resolution (org.springframework:spring-web): 3.0.6.RELEASE
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2014-3578
### Vulnerable Library - spring-core-2.5.6.SEC01.jarSpring Framework: Core
Library home page: http://www.springframework.org
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-core/2.5.6.SEC01/spring-core-2.5.6.SEC01.jar
Dependency Hierarchy: - spring-web-2.5.6.SEC01.jar (Root Library) - :x: **spring-core-2.5.6.SEC01.jar** (Vulnerable Library)
Found in HEAD commit: ed6b351915ad26feb8d87ab03d3c5c4b27d706ca
Found in base branch: main
### Vulnerability DetailsDirectory traversal vulnerability in Pivotal Spring Framework 3.x before 3.2.9 and 4.0 before 4.0.5 allows remote attackers to read arbitrary files via a crafted URL.
Publish Date: 2015-02-19
URL: CVE-2014-3578
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-3578
Release Date: 2015-02-19
Fix Resolution: 3.2.9,4.0.5
CVE-2014-0054
### Vulnerable Library - spring-web-2.5.6.SEC01.jarSpring Framework: Web
Library home page: http://www.springframework.org
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/2.5.6.SEC01/spring-web-2.5.6.SEC01.jar
Dependency Hierarchy: - :x: **spring-web-2.5.6.SEC01.jar** (Vulnerable Library)
Found in HEAD commit: ed6b351915ad26feb8d87ab03d3c5c4b27d706ca
Found in base branch: main
### Vulnerability DetailsThe Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.
Publish Date: 2014-04-17
URL: CVE-2014-0054
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-0054
Release Date: 2014-04-17
Fix Resolution: org.springframework:spring-web:3.2.8.RELEASE,4.0.2.RELEASE,org.springframework:spring-oxm:4.0.2.RELEASE,3.2.8.RELEASE
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2013-6429
### Vulnerable Library - spring-web-2.5.6.SEC01.jarSpring Framework: Web
Library home page: http://www.springframework.org
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/2.5.6.SEC01/spring-web-2.5.6.SEC01.jar
Dependency Hierarchy: - :x: **spring-web-2.5.6.SEC01.jar** (Vulnerable Library)
Found in HEAD commit: ed6b351915ad26feb8d87ab03d3c5c4b27d706ca
Found in base branch: main
### Vulnerability DetailsThe SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152 and CVE-2013-7315.
Publish Date: 2014-01-26
URL: CVE-2013-6429
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2013-6429
Release Date: 2014-01-26
Fix Resolution: 3.2.5
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2021-22096
### Vulnerable Libraries - spring-web-2.5.6.SEC01.jar, spring-core-2.5.6.SEC01.jar### spring-web-2.5.6.SEC01.jar
Spring Framework: Web
Library home page: http://www.springframework.org
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/2.5.6.SEC01/spring-web-2.5.6.SEC01.jar
Dependency Hierarchy: - :x: **spring-web-2.5.6.SEC01.jar** (Vulnerable Library) ### spring-core-2.5.6.SEC01.jar
Spring Framework: Core
Library home page: http://www.springframework.org
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-core/2.5.6.SEC01/spring-core-2.5.6.SEC01.jar
Dependency Hierarchy: - spring-web-2.5.6.SEC01.jar (Root Library) - :x: **spring-core-2.5.6.SEC01.jar** (Vulnerable Library)
Found in HEAD commit: ed6b351915ad26feb8d87ab03d3c5c4b27d706ca
Found in base branch: main
### Vulnerability DetailsIn Spring Framework versions 5.3.0 - 5.3.10, 5.2.0 - 5.2.17, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries.
Publish Date: 2021-10-28
URL: CVE-2021-22096
### CVSS 3 Score Details (4.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://tanzu.vmware.com/security/cve-2021-22096
Release Date: 2021-10-28
Fix Resolution (org.springframework:spring-core): 5.2.18.RELEASE
Direct dependency fix Resolution (org.springframework:spring-web): 3.0.6.RELEASE
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.