HIGH | JUNE 20, 2022 | CVE-2022-22980
Description A Spring Data MongoDB application is vulnerable to SpEL Injection when using @Query or @Aggregation-annotated query methods with SpEL expressions that contain query parameter placeholders for value binding if the input is not sanitized.Specifically…
HIGH | JUNE 15, 2022 | CVE-2022-22979
Description In Spring Cloud Function versions 3.2.5 and older unsupported versions, it is possible for a user who directly interacts with framework provided lookup functionality to cause denial of service condition due to the caching issue in Function Catalog…
MEDIUM | MAY 17, 2022 | CVE-2022-22976
Description Affected Spring Products and Versions Mitigation Credit This issue was identified and responsibly reported by Eyal Kaspi. References https://docs.spring.io/spring-security/site/docs/current/reference/html5/#authentication-password-storage https…
HIGH | MAY 16, 2022 | CVE-2022-22978
Description Affected Spring Products and Versions Mitigation Users should update to a version that includes fixes. 5.5.x users should upgrade to 5.5.7 or greater. 5.6.x users should upgrade to 5.6.4 or greater. Releases that have fixed this issue include…
MEDIUM | MAY 11, 2022 | CVE-2022-22970
Description A Spring MVC or Spring WebFlux application that handles file uploads is vulnerable to DoS attack if it relies on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object. Affected Spring Products and Versions…
MEDIUM | MAY 11, 2022 | CVE-2022-22971
Description A Spring application with a STOMP over WebSocket endpoint is vulnerable to a denial of service attack by an authenticated user. Affected Spring Products and Versions Mitigation Users of affected versions should apply the following mitigation: 5.3.x…
CRITICAL | APRIL 21, 2022 | CVE-2022-22969
Description Spring Security OAuth versions 2.5.x prior to 2.5.2 and older unsupported versions are susceptible to a Denial-of-Service (DoS) attack via the initiation of the Authorization Request in an OAuth 2.0 Client application. A malicious user or attacker…
LOW | APRIL 13, 2022 | CVE-2022-22968
Description In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper…
CRITICAL | MARCH 31, 2022 | CVE-2022-22965
Description Affected Spring Products and Versions Mitigation Users of affected versions should apply the following mitigation: 5.3.x users should upgrade to 5.3.18+, 5.2.x users should upgrade to 5.2.20+. No other steps are necessary. There are other…
CRITICAL | MARCH 29, 2022 | CVE-2022-22963
Description In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and…
