LOW | JULY 23, 2020 | CVE-2020-5413
Description Spring Integration framework provides Kryo Codec implementations as an alternative for Java (de)serialization. When Kryo is configured with default options, all unregistered classes are resolved on demand. This leads to the "deserialization gadgets…
LOW | JUNE 10, 2020 | CVE-2020-5411
Description Affected Spring Products and Versions Mitigation Users of an affected version should upgrade to 4.2.3 or later. Releases that have fixed this issue include:Spring Batch4.2.3 Credit This issue was identified and responsibly reported by Srikanth…
HIGH | JUNE 01, 2020 | CVE-2020-5410
Description Spring Cloud Config, versions 2.2.x prior to 2.2.3, versions 2.1.x prior to 2.1.9, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker…
MEDIUM | MAY 07, 2020 | CVE-2020-5407
Description Spring Security versions 5.2.x prior to 5.2.4 and 5.3.x prior to 5.3.2 contain a signature wrapping vulnerability during SAML response validation. When using the spring-security-saml2-service-provider component, a malicious user can carefully…
MEDIUM | MAY 07, 2020 | CVE-2020-5408
Description Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor…
MEDIUM | FEBRUARY 27, 2020 | CVE-2020-5403
Description Reactor Netty HttpServer, versions 0.9.3 and 0.9.4, is exposed to a URISyntaxException that causes the connection to be closed prematurely instead of producing a 400 response. Affected Spring Products and Versions Mitigation Credit This issue was…
MEDIUM | FEBRUARY 27, 2020 | CVE-2020-5404
Description Reactor Netty HttpClient, versions 0.9.x prior to 0.9.5, and versions 0.8.x prior to 0.8.16, may be used incorrectly, leading to a credentials leak during a redirect to a different domain. In order for this to happen, the HttpClient must have been…
HIGH | FEBRUARY 26, 2020 | CVE-2020-5405
Description Spring Cloud Config, versions 2.2.x prior to 2.2.2, versions 2.1.x prior to 2.1.7, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker…
MEDIUM | JANUARY 16, 2020 | CVE-2020-5397
Description Spring Framework, versions 5.2.x prior to 5.2.3 are vulnerable to CSRF attacks through CORS preflight
requests that target Spring MVC (spring-webmvc module) or Spring WebFlux (spring-webflux module) endpoints.Only non-authenticated endpoints are…
HIGH | JANUARY 16, 2020 | CVE-2020-5398
Description Affected Spring Products and Versions Mitigation Credit This issue was identified and responsibly reported by Roman Shalymov from EPAM. References https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/reflected-file-download-a-new-web…
