Spring Security Advisories

Description Spring Framework, versions 5.2.x prior to 5.2.3 are vulnerable to CSRF attacks through CORS preflight requests that target Spring MVC (spring-webmvc module) or Spring WebFlux (spring-webflux module) endpoints.Only non-authenticated endpoints are…

Description Reactor Netty, versions 0.8.x prior to 0.8.13 and 0.9.x prior to 0.9.1, depends on vulnerable versions of netty (versions prior to 4.1.42), which incorrectly handles whitespace before a colon in headers, leading to HTTP request smuggling attacks…

Description Pivotal Reactor Netty, versions prior to 0.8.11, passes headers through redirects, including authorization ones. A remote unauthenticated malicious user may gain access to credentials for a different server than they have access to. References…

Description Affected Spring Products and Versions Mitigation Credit This issue was identified and responsibly reported by Tim Büthe and Daniel Neagaru from mytaxi. History 2019-06-19: Initial vulnerability report published

Description Affected Spring Products and Versions Mitigation Credit This issue was identified and responsibly reported by Mike Noordermeer. References Spring Security OAuth

Description Affected Spring Products and Versions Mitigation Credit This issue was identified and responsibly reported by Thaveethu Vignesh References https://cwe.mitre.org/data/definitions/155.html https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L…

Description Affected Spring Products and Versions Mitigation Credit This issue was identified and responsibly reported by Vern (vernhk@qq.com from PingAn Galaxy Lab). References