Spring Security Advisories

This page lists Spring advisories.

CVE-2017-4995: Jackson Configuration Allows Code Execution with Unknown “Serialization Gadgets”

LOW | JUNE 08, 2017 | CVE-2017-4995

Description Affected Spring Products and Versions Mitigation References https://github.com/FasterXML/jackson-databind/issues/1599 https://github.com/FasterXML/jackson-docs/wiki/JacksonPolymorphicDeserialization#11-global-default-typing https://github.com…

CVE-2017-4971: Data Binding Expression Vulnerability in Spring Web Flow

MEDIUM | MAY 31, 2017 | CVE-2017-4971

Description Affected Spring Products and Versions Mitigation Credit The issue was identified by Stefano Ciccone of Gotham Digital Science References

CVE-2016-9879 Encoded "/" in path variables

HIGH | DECEMBER 28, 2016 | CVE-2016-9879

Description Affected Spring Products and Versions Mitigation Credit The issue was identified by Shumpei Asahara & Yuji Ito from NTT DATA Corporation and responsibly reported to Pivotal. References http://www.securityfocus.com/archive/1/archive/1/514517/100/…

CVE-2016-9878 Directory Traversal in the Spring Framework ResourceServlet

LOW | DECEMBER 21, 2016 | CVE-2016-9878

Description Affected Spring Products and Versions Mitigation Credit The issue was identified by Shumpei Asahara & Yuji Ito from NTT DATA Corporation and responsibly reported to Pivotal. References