HIGH | APRIL 13, 2023 | CVE-2023-20863
Description In Spring Framework versions 6.0.0 - 6.0.7, 5.3.0 - 5.3.26, 5.2.0.RELEASE - 5.2.23.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition…
MEDIUM | APRIL 12, 2023 | CVE-2023-20866
Description In Spring Session version 3.0.0, the session id can be logged to the standard output stream. This vulnerability exposes sensitive information to those who have access to the application logs and can be used for session hijacking. Specifically, an…
MEDIUM | MARCH 20, 2023 | CVE-2023-20859
Description The authentication mechanism creates Batch tokens. Usage of LifecycleAwareSessionManager in an imperative-only arrangement. LifecycleAwareSessionManager.destroy() is called by the application or the application shutdown hook The logging level for…
HIGH | MARCH 20, 2023 | CVE-2023-20860
Description Using "**" as a pattern in Spring Security configuration with the mvcRequestMatcher creates a mismatch in pattern matching between Spring Security and Spring MVC, and the potential for a security bypass. Affected Spring Products and Versions Spring…
MEDIUM | MARCH 20, 2023 | CVE-2023-20861
Description In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition…
MEDIUM | NOVEMBER 03, 2022 | CVE-2022-31691
Description Spring Tools 4 for Eclipse version 4.16.0 and below as well as VSCode extensions such as Spring Boot Tools, Concourse CI Pipeline Editor, Bosh Editor and Cloudfoundry Manifest YML Support version 1.39.0 and below all use Snakeyaml library for YAML…
HIGH | OCTOBER 31, 2022 | CVE-2022-31690
Description Spring Security, versions 5.7 prior to 5.7.5, and 5.6 prior to 5.6.9, and older unsupported versions could be susceptible to a privilege escalation under certain conditions. A malicious user or attacker can modify a request initiated by the Client…
HIGH | OCTOBER 31, 2022 | CVE-2022-31692
Description Spring Security, versions 5.7 prior to 5.7.5 and 5.6 prior to 5.6.9 could be susceptible to authorization rules bypass via forward or include dispatcher types.Specifically, an application is vulnerable when all of the following are true:The…
LOW | OCTOBER 19, 2022 | CVE-2022-31684
Description Reactor Netty HTTP Server, in versions 1.0.11 - 1.0.23, may log request headers in some cases of invalid HTTP requests. The logged headers may reveal valid access tokens to those with access to server logs. This may affect only invalid HTTP…
MEDIUM | SEPTEMBER 19, 2022 | CVE-2022-31679
Description Applications that allow HTTP PATCH access to resources exposed by Spring Data REST in versions 3.6.0 - 3.6.5, 3.7.0 - 3.7.2, and older unsupported versions, if an attacker knows about the structure of the underlying domain model, they can craft…
