Spring Framework — универсальный фреймворк с открытым исходным кодом для Java-платформы.
Релизный цикл, информация об уязвимостях
График релизов
Количество 241
CVE-2018-15756
Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controller returns an org.springframework.core.io.Resource. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, for a denial of service attack. This vulnerability affects applications that depend on either spring-webmvc or spring-webflux. Such applications must also have a registration for serving static resources (e.g. JS, CSS, images, and others), or have an annotated controller that returns an org.springframework.core.io.Resource. Spring Boot applications that depend on spring-boot-starter-web or spring-boot-starter-webflux are ready to serve static resources out of the box and are therefore vulnerable.
CVE-2018-15756
Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, version ...
CVE-2018-15756
Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controller returns an org.springframework.core.io.Resource. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, for a denial of service attack. This vulnerability affects applications that depend on either spring-webmvc or spring-webflux. Such applications must also have a registration for serving static resources (e.g. JS, CSS, images, and others), or have an annotated controller that returns an org.springframework.core.io.Resource. Spring Boot applications that depend on spring-boot-starter-web or spring-boot-starter-webflux are ready to serve static resources out of the box and are therefore vulnerable.
GHSA-8crv-49fr-2h6j
Spring Security and Spring Framework may not recognize certain paths that should be protected
GHSA-pgf9-h69p-pcgf
Files or Directories Accessible to External Parties in org.springframework:spring-core
GHSA-6v7w-535j-rq5m
Pivotal Spring Framework DoS Attack with XML Input
GHSA-45vg-2v73-vm62
Moderate severity vulnerability that affects org.springframework:spring-core
GHSA-3rmv-2pg5-xvqj
Spring Framework has Improperly Implemented Security Check for Standard
GHSA-4487-x383-qpph
Possible privilege escalation in org.springframework:spring-core
GHSA-g8hw-794c-4j9g
Path Traversal in org.springframework:spring-core
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано 1 | |
|---|---|---|---|---|
 | CVE-2018-15756 Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controller returns an org.springframework.core.io.Resource. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, for a denial of service attack. This vulnerability affects applications that depend on either spring-webmvc or spring-webflux. Such applications must also have a registration for serving static resources (e.g. JS, CSS, images, and others), or have an annotated controller that returns an org.springframework.core.io.Resource. Spring Boot applications that depend on spring-boot-starter-web or spring-boot-starter-webflux are ready to serve static resources out of the box and are therefore vulnerable. | CVSS3: 7.5 | 14% Средний | больше 6 лет назад |
| CVE-2018-15756 Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, version ... | CVSS3: 7.5 | 14% Средний | больше 6 лет назад |
 | CVE-2018-15756 Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controller returns an org.springframework.core.io.Resource. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, for a denial of service attack. This vulnerability affects applications that depend on either spring-webmvc or spring-webflux. Such applications must also have a registration for serving static resources (e.g. JS, CSS, images, and others), or have an annotated controller that returns an org.springframework.core.io.Resource. Spring Boot applications that depend on spring-boot-starter-web or spring-boot-starter-webflux are ready to serve static resources out of the box and are therefore vulnerable. | CVSS3: 7.5 | 14% Средний | больше 6 лет назад |
| GHSA-8crv-49fr-2h6j Spring Security and Spring Framework may not recognize certain paths that should be protected | CVSS3: 7.5 | 0% Низкий | больше 6 лет назад |
| GHSA-pgf9-h69p-pcgf Files or Directories Accessible to External Parties in org.springframework:spring-core | CVSS3: 8.6 | 2% Низкий | больше 6 лет назад |
| GHSA-6v7w-535j-rq5m Pivotal Spring Framework DoS Attack with XML Input | CVSS3: 5.5 | 1% Низкий | больше 6 лет назад |
| GHSA-45vg-2v73-vm62 Moderate severity vulnerability that affects org.springframework:spring-core | 0% Низкий | больше 6 лет назад | |
| GHSA-3rmv-2pg5-xvqj Spring Framework has Improperly Implemented Security Check for Standard | CVSS3: 9.8 | 32% Средний | больше 6 лет назад |
| GHSA-4487-x383-qpph Possible privilege escalation in org.springframework:spring-core | CVSS3: 7.5 | 2% Низкий | больше 6 лет назад |
| GHSA-g8hw-794c-4j9g Path Traversal in org.springframework:spring-core | CVSS3: 5.9 | 92% Критический | больше 6 лет назад |
Уязвимостей на страницу