Spring Framework — универсальный фреймворк с открытым исходным кодом для Java-платформы.
Релизный цикл, информация об уязвимостях
График релизов
Количество 241
GHSA-p5hg-3xm3-gcjg
Spring Framework allows applications to expose STOMP over WebSocket endpoints
GHSA-cxrj-66c5-9fmh
Spring Framework when used in combination with any versions of Spring Security contains an authorization bypass
GHSA-rcpf-vj53-7h2m
Denial of Service in org.springframework:spring-core
GHSA-v596-fwhq-8x48
Improper Input Validation in org.springframework.security:spring-security-core, org.springframework.security:spring-security-core , and org.springframework:spring-core
GHSA-f26x-pr96-vw86
Moderate severity vulnerability that affects org.springframework:spring-core
GHSA-9gcm-f4x3-8jpw
Spring Framework Cross Site Tracing (XST)
CVE-2018-15756
Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controller returns an org.springframework.core.io.Resource. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, for a denial of service attack. This vulnerability affects applications that depend on either spring-webmvc or spring-webflux. Such applications must also have a registration for serving static resources (e.g. JS, CSS, images, and others), or have an annotated controller that returns an org.springframework.core.io.Resource. Spring Boot applications that depend on spring-boot-starter-web or spring-boot-starter-webflux are ready to serve static resources out of the box and are therefore vulnerable.
GHSA-2m8h-fgr8-2q9w
Pivotal Spring Framework Paths provided to the ResourceServlet were not properly sanitized
CVE-2018-11040
Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests.
CVE-2018-11040
Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3 ...
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано 1 | |
|---|---|---|---|---|
| GHSA-p5hg-3xm3-gcjg Spring Framework allows applications to expose STOMP over WebSocket endpoints | CVSS3: 9.8 | 89% Высокий | больше 6 лет назад |
| GHSA-cxrj-66c5-9fmh Spring Framework when used in combination with any versions of Spring Security contains an authorization bypass | CVSS3: 8.8 | 0% Низкий | больше 6 лет назад |
| GHSA-rcpf-vj53-7h2m Denial of Service in org.springframework:spring-core | CVSS3: 6.5 | 1% Низкий | больше 6 лет назад |
| GHSA-v596-fwhq-8x48 Improper Input Validation in org.springframework.security:spring-security-core, org.springframework.security:spring-security-core , and org.springframework:spring-core | CVSS3: 5.3 | 1% Низкий | больше 6 лет назад |
| GHSA-f26x-pr96-vw86 Moderate severity vulnerability that affects org.springframework:spring-core | CVSS3: 5.9 | 8% Низкий | больше 6 лет назад |
| GHSA-9gcm-f4x3-8jpw Spring Framework Cross Site Tracing (XST) | CVSS3: 5.9 | 3% Низкий | больше 6 лет назад |
 | CVE-2018-15756 Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controller returns an org.springframework.core.io.Resource. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, for a denial of service attack. This vulnerability affects applications that depend on either spring-webmvc or spring-webflux. Such applications must also have a registration for serving static resources (e.g. JS, CSS, images, and others), or have an annotated controller that returns an org.springframework.core.io.Resource. Spring Boot applications that depend on spring-boot-starter-web or spring-boot-starter-webflux are ready to serve static resources out of the box and are therefore vulnerable. | CVSS3: 3.1 | 14% Средний | больше 6 лет назад |
| GHSA-2m8h-fgr8-2q9w Pivotal Spring Framework Paths provided to the ResourceServlet were not properly sanitized | CVSS3: 7.5 | 5% Низкий | больше 6 лет назад |
 | CVE-2018-11040 Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests. | CVSS3: 7.5 | 8% Низкий | почти 7 лет назад |
| CVE-2018-11040 Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3 ... | CVSS3: 7.5 | 8% Низкий | почти 7 лет назад |
Уязвимостей на страницу