Spring Framework — универсальный фреймворк с открытым исходным кодом для Java-платформы.
Релизный цикл, информация об уязвимостях
График релизов
Количество 241
CVE-2014-3625
Directory traversal vulnerability in Pivotal Spring Framework 3.0.4 th ...
CVE-2014-3625
Directory traversal vulnerability in Pivotal Spring Framework 3.0.4 through 3.2.x before 3.2.12, 4.0.x before 4.0.8, and 4.1.x before 4.1.2 allows remote attackers to read arbitrary files via unspecified vectors, related to static resource handling.
CVE-2014-3625
Directory traversal vulnerability in Pivotal Spring Framework 3.0.4 through 3.2.x before 3.2.12, 4.0.x before 4.0.8, and 4.1.x before 4.1.2 allows remote attackers to read arbitrary files via unspecified vectors, related to static resource handling.
CVE-2014-3578
Directory traversal vulnerability in Pivotal Spring Framework 3.x before 3.2.9 and 4.0 before 4.0.5 allows remote attackers to read arbitrary files via a crafted URL.
CVE-2014-0225
When processing user provided XML documents, the Spring Framework 4.0.0 to 4.0.4, 3.0.0 to 3.2.8, and possibly earlier unsupported versions did not disable by default the resolution of URI references in a DTD declaration. This enabled an XXE attack.
CVE-2014-0054
The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.
CVE-2014-0054
The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Frame ...
CVE-2014-0054
The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.
CVE-2014-1904
Cross-site scripting (XSS) vulnerability in web/servlet/tags/form/FormTag.java in Spring MVC in Spring Framework 3.0.0 before 3.2.8 and 4.0.0 before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the requested URI in a default action.
CVE-2014-1904
Cross-site scripting (XSS) vulnerability in web/servlet/tags/form/Form ...
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано 1 | |
|---|---|---|---|---|
| CVE-2014-3625 Directory traversal vulnerability in Pivotal Spring Framework 3.0.4 th ... | CVSS2: 5 | 23% Средний | больше 10 лет назад |
 | CVE-2014-3625 Directory traversal vulnerability in Pivotal Spring Framework 3.0.4 through 3.2.x before 3.2.12, 4.0.x before 4.0.8, and 4.1.x before 4.1.2 allows remote attackers to read arbitrary files via unspecified vectors, related to static resource handling. | CVSS2: 5 | 23% Средний | больше 10 лет назад |
 | CVE-2014-3625 Directory traversal vulnerability in Pivotal Spring Framework 3.0.4 through 3.2.x before 3.2.12, 4.0.x before 4.0.8, and 4.1.x before 4.1.2 allows remote attackers to read arbitrary files via unspecified vectors, related to static resource handling. | CVSS2: 5 | 23% Средний | больше 10 лет назад |
| CVE-2014-3578 Directory traversal vulnerability in Pivotal Spring Framework 3.x before 3.2.9 and 4.0 before 4.0.5 allows remote attackers to read arbitrary files via a crafted URL. | CVSS2: 5 | 6% Низкий | почти 11 лет назад |
| CVE-2014-0225 When processing user provided XML documents, the Spring Framework 4.0.0 to 4.0.4, 3.0.0 to 3.2.8, and possibly earlier unsupported versions did not disable by default the resolution of URI references in a DTD declaration. This enabled an XXE attack. | CVSS2: 5 | 0% Низкий | около 11 лет назад |
 | CVE-2014-0054 The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429. | CVSS2: 6.8 | 35% Средний | больше 11 лет назад |
| CVE-2014-0054 The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Frame ... | CVSS2: 6.8 | 35% Средний | больше 11 лет назад |
| CVE-2014-0054 The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429. | CVSS2: 6.8 | 35% Средний | больше 11 лет назад |
| CVE-2014-1904 Cross-site scripting (XSS) vulnerability in web/servlet/tags/form/FormTag.java in Spring MVC in Spring Framework 3.0.0 before 3.2.8 and 4.0.0 before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the requested URI in a default action. | CVSS2: 4.3 | 2% Низкий | больше 11 лет назад |
| CVE-2014-1904 Cross-site scripting (XSS) vulnerability in web/servlet/tags/form/Form ... | CVSS2: 4.3 | 2% Низкий | больше 11 лет назад |
Уязвимостей на страницу