Spring Framework — универсальный фреймворк с открытым исходным кодом для Java-платформы.
Релизный цикл, информация об уязвимостях
График релизов
Количество 236
GHSA-4gc7-5j7h-4qph
Spring Framework DataBinder Case Sensitive Match Exception
CVE-2024-38820
The fix for CVE-2022-22968 made disallowedFieldspatterns in DataBinder ...
CVE-2024-38820
The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase() has some Locale dependent exceptions that could potentially result in fields not protected as expected.
CVE-2024-38820
The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase() has some Locale dependent exceptions that could potentially result in fields not protected as expected.
GHSA-hgjh-9rj2-g67j
Spring Framework URL Parsing with Host Validation Vulnerability
CVE-2024-22259
Applications that use UriComponentsBuilder in Spring Frameworkto parse ...
CVE-2024-22259
Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks. This is the same as CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input.
CVE-2024-22259
Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks. This is the same as CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input.
CVE-2024-22259
Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks. This is the same as CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input.
GHSA-r4q3-7g4q-x89m
Spring Framework server Web DoS Vulnerability
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано 1 | |
|---|---|---|---|---|
| GHSA-4gc7-5j7h-4qph Spring Framework DataBinder Case Sensitive Match Exception | CVSS3: 5.3 | 0% Низкий | 8 месяцев назад |
| CVE-2024-38820 The fix for CVE-2022-22968 made disallowedFieldspatterns in DataBinder ... | CVSS3: 3.1 | 0% Низкий | 8 месяцев назад |
 | CVE-2024-38820 The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase() has some Locale dependent exceptions that could potentially result in fields not protected as expected. | CVSS3: 3.1 | 0% Низкий | 8 месяцев назад |
 | CVE-2024-38820 The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase() has some Locale dependent exceptions that could potentially result in fields not protected as expected. | CVSS3: 3.1 | 0% Низкий | 8 месяцев назад |
| GHSA-hgjh-9rj2-g67j Spring Framework URL Parsing with Host Validation Vulnerability | CVSS3: 8.1 | 25% Средний | больше 1 года назад |
| CVE-2024-22259 Applications that use UriComponentsBuilder in Spring Frameworkto parse ... | CVSS3: 8.1 | 25% Средний | больше 1 года назад |
| CVE-2024-22259 Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks. This is the same as CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input. | CVSS3: 8.1 | 25% Средний | больше 1 года назад |
| CVE-2024-22259 Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks. This is the same as CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input. | CVSS3: 8.1 | 25% Средний | больше 1 года назад |
 | CVE-2024-22259 Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks. This is the same as CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input. | CVSS3: 8.1 | 25% Средний | больше 1 года назад |
| GHSA-r4q3-7g4q-x89m Spring Framework server Web DoS Vulnerability | CVSS3: 7.5 | 1% Низкий | больше 1 года назад |
Уязвимостей на страницу