Spring Framework — универсальный фреймворк с открытым исходным кодом для Java-платформы.
Релизный цикл, информация об уязвимостях
График релизов
Количество 236
GHSA-xjrf-8x4f-43h4
Improper Neutralization of Input During Web Page Generation in Spring Framework
GHSA-wjjr-h4wh-w6vv
Spring Framework Inefficient Regular Expression Complexity
GHSA-g5mm-vmx4-3rg7
Improper handling of case sensitivity in Spring Framework
CVE-2022-22968
In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path.
CVE-2022-22968
In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older ...
CVE-2022-22968
In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path.
CVE-2022-22968
In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path.
GHSA-558x-2xjg-6232
Allocation of Resources Without Limits or Throttling in Spring Framework
CVE-2022-22965
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
CVE-2022-22965
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vu ...
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано 1 | |
|---|---|---|---|---|
| GHSA-xjrf-8x4f-43h4 Improper Neutralization of Input During Web Page Generation in Spring Framework | CVSS3: 5.4 | 0% Низкий | около 3 лет назад |
| GHSA-wjjr-h4wh-w6vv Spring Framework Inefficient Regular Expression Complexity | 1% Низкий | около 3 лет назад | |
| GHSA-g5mm-vmx4-3rg7 Improper handling of case sensitivity in Spring Framework | CVSS3: 7.5 | 23% Средний | около 3 лет назад |
 | CVE-2022-22968 In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path. | CVSS3: 5.3 | 23% Средний | около 3 лет назад |
| CVE-2022-22968 In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older ... | CVSS3: 5.3 | 23% Средний | около 3 лет назад |
 | CVE-2022-22968 In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path. | CVSS3: 5.3 | 23% Средний | около 3 лет назад |
 | CVE-2022-22968 In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path. | CVSS3: 5.3 | 23% Средний | около 3 лет назад |
| GHSA-558x-2xjg-6232 Allocation of Resources Without Limits or Throttling in Spring Framework | CVSS3: 6.5 | 5% Низкий | около 3 лет назад |
| CVE-2022-22965 A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it. | CVSS3: 9.8 | 94% Критический | около 3 лет назад |
| CVE-2022-22965 A Spring MVC or Spring WebFlux application running on JDK 9+ may be vu ... | CVSS3: 9.8 | 94% Критический | около 3 лет назад |
Уязвимостей на страницу