Version 6.2.1

Spring Core

Spring Framework

Install Instructions

mvn install spring-core
Current Version Release Date December 12, 2024
Language Java
Package URL (purl) pkg:maven/org.springframework:spring-core@6.2.1

Find Spring Core vulnerabilities in your supply chain.

Scan for Free

Spring Core Vulnerabilities

Sort by
icon CVE (Latest)
  • icon CVE (Latest)
  • icon CVE (Oldest)
  • icon CVSS Score (Highest)
  • icon CVSS Score (Lowest)
CVE question mark icon CVSS Score question mark icon CWE(s) question mark icon EPSS Score question mark icon EPSS % question mark icon Impacted Versions
CVE-2015-3192 Medium 5.5 CWE-119 0.04125 0.92069
  • 4.0.0.RELEASE–4.1.6.RELEASE
  • 3.0.0.RELEASE–3.2.13.RELEASE
  • 2.0–2.5.6.SEC03
  • 1.0–1.2.9
CVE-2015-5211 High 9.6 CWE-552, CWE-20 0.00139 0.49995
  • 4.0.0.RELEASE–4.2.1.RELEASE
  • 3.0.0.RELEASE–3.2.14.RELEASE
  • 2.0–2.5.6.SEC03
  • 1.0–1.2.9
CVE-2016-5007 High 7.5 CWE-264 0.00252 0.64257
  • 4.0.0.RELEASE–4.3.0.RELEASE
  • 3.0.0.RELEASE–3.2.18.RELEASE
  • 2.0–2.5.6.SEC03
  • 1.0–1.2.9
CVE-2018-1257 Medium 6.5 CWE-20 0.00181 0.55602
  • 5.0.0.RELEASE–5.0.5.RELEASE
  • 4.0.0.RELEASE–4.3.16.RELEASE
  • 3.0.0.RELEASE–3.2.18.RELEASE
  • 2.0–2.5.6.SEC03
  • 1.0–1.2.9
CVE-2018-1270 High 9.8 CWE-94, CWE-358 0.85625 0.98776
  • 5.0.0.RELEASE–5.0.4.RELEASE
  • 4.0.0.RELEASE–4.3.15.RELEASE
  • 3.0.0.RELEASE–3.2.18.RELEASE
  • 2.0–2.5.6.SEC03
  • 1.0–1.2.9
CVE-2018-1271 Medium 5.9 CWE-22 0.01138 0.84496
  • 5.0.0.RELEASE–5.0.4.RELEASE
  • 4.0.0.RELEASE–4.3.14.RELEASE
  • 3.0.0.RELEASE–3.2.18.RELEASE
  • 2.0–2.5.6.SEC03
  • 1.0–1.2.9
CVE-2018-1272 High 7.5 0.00181 0.55498
  • 5.0.0.RELEASE–5.0.4.RELEASE
  • 4.0.0.RELEASE–4.3.14.RELEASE
  • 3.0.0.RELEASE–3.2.18.RELEASE
  • 2.0–2.5.6.SEC03
  • 1.0–1.2.9
CVE-2018-1275 High 9.8 CWE-94, CWE-358 0.42298 0.97373
  • 5.0.0.RELEASE–5.0.4.RELEASE
  • 4.0.0.RELEASE–4.3.15.RELEASE
  • 3.0.0.RELEASE–3.2.18.RELEASE
  • 2.0–2.5.6.SEC03
  • 1.0–1.2.9
CVE-2022-22950 Medium 6.5 CWE-770 0.00081 0.36747
  • 5.0.0.RELEASE–5.3.16
  • 4.0.0.RELEASE–4.3.30.RELEASE
  • 3.0.0.RELEASE–3.2.18.RELEASE
  • 2.0–2.5.6.SEC03
  • 1.0–1.2.9
CVE-2022-22968 Medium 5.3 CWE-178 0.0007 0.32514
  • 5.0.0.RELEASE–5.3.18
  • 4.0.0.RELEASE–4.3.30.RELEASE
  • 3.0.0.RELEASE–3.2.18.RELEASE
  • 2.0–2.5.6.SEC03
  • 1.0–1.2.9
CVE-2022-22971 Medium 6.5 CWE-770 0.00108 0.44511
  • 5.0.0.RELEASE–5.3.19
  • 4.0.0.RELEASE–4.3.30.RELEASE
  • 3.0.0.RELEASE–3.2.18.RELEASE
  • 2.0–2.5.6.SEC03
  • 1.0–1.2.9
CVE-2023-20861 Medium 6.5 CWE-770 0.0012 0.46783
  • 6.0.0–6.0.6
  • 5.0.0.RELEASE–5.3.25
  • 4.0.0.RELEASE–4.3.30.RELEASE
  • 3.0.0.RELEASE–3.2.18.RELEASE
  • 2.0–2.5.6.SEC03
  • 1.0–1.2.9
CVE-2023-20863 Medium 6.5 CWE-917, CWE-400 0.00171 0.54352
  • 6.0.0–6.0.7
  • 5.0.0.RELEASE–5.3.26
  • 4.0.0.RELEASE–4.3.30.RELEASE
  • 3.0.0.RELEASE–3.2.18.RELEASE
  • 2.0–2.5.6.SEC03
  • 1.0–1.2.9
CVE-2024-38827 Medium 4.8 CWE-639 0.00043 0.10859
  • 6.0.0–6.1.13
  • 5.0.0.RELEASE–5.3.39
  • 4.0.0.RELEASE–4.3.30.RELEASE
  • 3.0.0.RELEASE–3.2.18.RELEASE
  • 2.0–2.5.6.SEC03
  • 1.0–1.2.9
CVE-2016-9878 High 7.5 CWE-22 0.00374 0.72409
  • 4.2.0.RELEASE–4.3.4.RELEASE
  • 3.0.0.RELEASE–3.2.17.RELEASE
  • 2.0–2.5.6.SEC03
  • 1.0–1.2.9
CVE-2018-15756 High 7.5 CWE-20, CWE-399 0.0066 0.79475
  • 5.0.0.RELEASE–5.1.0.RELEASE
  • 4.2.0.RELEASE–4.3.19.RELEASE
CVE-2014-3578 Medium 5 CWE-22 0.02982 0.90653
  • 4.0.0.RELEASE–4.0.4.RELEASE
  • 3.0.0.RELEASE–3.2.8.RELEASE
CVE-2015-0201 Medium 5 CWE-254 0.00316 0.69975
  • 4.1.0.RELEASE–4.1.4.RELEASE
CVE-2010-1622 Medium 6 CWE-94 0.03942 0.91906
  • 3.0.0.RELEASE–3.0.2.RELEASE
  • 2.0–2.5.6.SEC03
  • 1.0–1.2.9
CVE-2011-2730 High 7.5 CWE-16 0.02298 0.89353
  • 3.0.0.RELEASE–3.0.5.RELEASE
  • 2.0–2.5.6.SEC02
  • 1.0–1.2.9
CVE-2011-2894 Medium 6.8 CWE-264, CWE-502 0.01508 0.86639
  • 3.0.0.RELEASE–3.0.5.RELEASE
CVE-2009-1190 Medium 5 CWE-399 0.04837 0.92634
  • 2.0–2.5.6.SEC03
  • 1.0–1.2.9
CVE-2018-11039 Medium 5.9 CWE-20 0.00257 0.64588
  • 5.0.0.RELEASE–5.0.6.RELEASE
  • 4.3.0.RELEASE–4.3.17.RELEASE
CVE-2018-11040 High 7.5 CWE-829, CWE-254 0.00245 0.63709
  • 5.0.0.RELEASE–5.0.6.RELEASE
  • 4.3.0.RELEASE–4.3.17.RELEASE
CVE-2018-1199 Medium 5.3 CWE-20, CWE-264 0.00188 0.56386
  • 5.0.0.RELEASE–5.0.2.RELEASE
  • 4.3.0.RELEASE–4.3.13.RELEASE
CVE-2022-22970 Medium 5.3 CWE-770 0.00316 0.69969
  • 5.2.0.RELEASE–5.3.19
CVE-2021-22060 Medium 4.3 0.00049 0.20196
  • 5.2.0.RELEASE–5.3.13
CVE-2021-22096 Medium 4.3 CWE-117 0.00079 0.36037
  • 5.2.0.RELEASE–5.3.10
CVE-2021-22118 High 7.8 CWE-668 0.00047 0.19324
  • 5.2.0.RELEASE–5.3.6
CVE-2024-22233 High 7.5 0.00093 0.40687
  • 6.0.15–6.1.2

Spring Core Vulnerability Remediation Guidance

CVE Description Full list of Impacted Versions Fix
CVE-2024-38827 The usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in authorization rules not working properly. 4.1.6.RELEASE, 4.2.0.RELEASE, 4.1.5.RELEASE, 4.0.3.RELEASE, 4.0.1.RELEASE, 4.1.1.RELEASE, 4.1.2.RELEASE, 4.0.7.RELEASE (Show all) Patch → 6.1.14
CVE-2024-22233 In Spring Framework versions 6.0.15 and 6.1.2, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. Specifically, an application is vulnerable when all of the following are true: * the application uses Spring MVC * Spring Security 6.1.6+ or 6.2.1+ is on the classpath Typically, Spring Boot applications need the org.springframework.boot:spring-boot-starter-web and org.springframework.boot:spring-boot-starter-security dependencies to meet all conditions. 6.1.2, 6.0.15 Patch → 6.1.14
CVE-2023-20863 In spring framework versions prior to 5.2.24 release+ ,5.3.27+ and 6.0.8+ , it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition. 4.1.6.RELEASE, 4.2.0.RELEASE, 4.1.5.RELEASE, 4.0.3.RELEASE, 4.0.1.RELEASE, 4.1.1.RELEASE, 4.1.2.RELEASE, 4.0.7.RELEASE (Show all) Patch → 6.1.14
CVE-2023-20861 In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition. 4.1.6.RELEASE, 4.2.0.RELEASE, 4.1.5.RELEASE, 4.0.3.RELEASE, 4.0.1.RELEASE, 4.1.1.RELEASE, 4.1.2.RELEASE, 4.0.7.RELEASE (Show all) Patch → 6.1.14
CVE-2022-22971 In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, application with a STOMP over WebSocket endpoint is vulnerable to a denial of service attack by an authenticated user. 4.1.6.RELEASE, 4.2.0.RELEASE, 4.1.5.RELEASE, 4.0.3.RELEASE, 4.0.1.RELEASE, 4.1.1.RELEASE, 4.1.2.RELEASE, 4.0.7.RELEASE (Show all) Patch → 6.1.14
CVE-2022-22970 In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object. 5.3.15, 5.3.16, 5.3.13, 5.3.12, 5.3.11, 5.3.9, 5.3.7, 5.3.5 (Show all) Major → 6.1.14
CVE-2022-22968 In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path. 4.1.6.RELEASE, 4.2.0.RELEASE, 4.1.5.RELEASE, 4.0.3.RELEASE, 4.0.1.RELEASE, 4.1.1.RELEASE, 4.1.2.RELEASE, 4.0.7.RELEASE (Show all) Patch → 6.1.14
CVE-2022-22950 n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition. 4.1.6.RELEASE, 4.2.0.RELEASE, 4.1.5.RELEASE, 4.0.3.RELEASE, 4.0.1.RELEASE, 4.1.1.RELEASE, 4.1.2.RELEASE, 4.0.7.RELEASE (Show all) Patch → 6.1.14
CVE-2021-22118 In Spring Framework, versions 5.2.x prior to 5.2.15 and versions 5.3.x prior to 5.3.7, a WebFlux application is vulnerable to a privilege escalation: by (re)creating the temporary storage directory, a locally authenticated malicious user can read or modify files that have been uploaded to the WebFlux application, or overwrite arbitrary files with multipart request data. 5.3.5, 5.3.4, 5.2.14.RELEASE, 5.2.11.RELEASE, 5.2.9.RELEASE, 5.2.6.RELEASE, 5.2.5.RELEASE, 5.2.4.RELEASE (Show all) Major → 6.1.14
CVE-2021-22096 In Spring Framework versions 5.3.0 - 5.3.10, 5.2.0 - 5.2.17, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries. 5.3.9, 5.3.7, 5.3.5, 5.3.4, 5.2.17.RELEASE, 5.2.15.RELEASE, 5.2.14.RELEASE, 5.2.11.RELEASE (Show all) Major → 6.1.14
CVE-2021-22060 In Spring Framework versions 5.3.0 - 5.3.13, 5.2.0 - 5.2.18, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries. This is a follow-up to CVE-2021-22096 that protects against additional types of input and in more places of the Spring Framework codebase. 5.3.13, 5.3.12, 5.3.11, 5.3.9, 5.3.7, 5.3.5, 5.3.4, 5.2.17.RELEASE (Show all) Major → 6.1.14
CVE-2018-15756 Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controller returns an org.springframework.core.io.Resource. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, for a denial of service attack. This vulnerability affects applications that depend on either spring-webmvc or spring-webflux. Such applications must also have a registration for serving static resources (e.g. JS, CSS, images, and others), or have an annotated controller that returns an org.springframework.core.io.Resource. Spring Boot applications that depend on spring-boot-starter-web or spring-boot-starter-webflux are ready to serve static resources out of the box and are therefore vulnerable. 4.2.0.RELEASE, 4.2.1.RELEASE, 4.3.0.RELEASE, 5.0.1.RELEASE, 5.0.6.RELEASE, 4.3.16.RELEASE, 4.3.15.RELEASE, 4.3.14.RELEASE (Show all) Patch → 6.1.14
CVE-2018-1275 Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.16 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack. This CVE addresses the partial fix for CVE-2018-1270 in the 4.3.x branch of the Spring Framework. 4.1.6.RELEASE, 4.2.0.RELEASE, 4.1.5.RELEASE, 4.0.3.RELEASE, 4.0.1.RELEASE, 4.1.1.RELEASE, 4.1.2.RELEASE, 4.0.7.RELEASE (Show all) Patch → 6.1.14
CVE-2018-1272 Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles. 4.1.6.RELEASE, 4.2.0.RELEASE, 4.1.5.RELEASE, 4.0.3.RELEASE, 4.0.1.RELEASE, 4.1.1.RELEASE, 4.1.2.RELEASE, 4.0.7.RELEASE (Show all) Patch → 6.1.14
CVE-2018-1271 Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack. 4.1.6.RELEASE, 4.2.0.RELEASE, 4.1.5.RELEASE, 4.0.3.RELEASE, 4.0.1.RELEASE, 4.1.1.RELEASE, 4.1.2.RELEASE, 4.0.7.RELEASE (Show all) Patch → 6.1.14
CVE-2018-1270 Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack. 4.1.6.RELEASE, 4.2.0.RELEASE, 4.1.5.RELEASE, 4.0.3.RELEASE, 4.0.1.RELEASE, 4.1.1.RELEASE, 4.1.2.RELEASE, 4.0.7.RELEASE (Show all) Patch → 6.1.14
CVE-2018-1257 Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack. 4.1.6.RELEASE, 4.2.0.RELEASE, 4.1.5.RELEASE, 4.0.3.RELEASE, 4.0.1.RELEASE, 4.1.1.RELEASE, 4.1.2.RELEASE, 4.0.7.RELEASE (Show all) Patch → 6.1.14
CVE-2018-1199 Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3) does not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. In this particular attack, different character encodings used in path parameters allows secured Spring MVC static resource URLs to be bypassed. 4.3.0.RELEASE, 5.0.1.RELEASE, 4.3.12.RELEASE, 4.3.10.RELEASE, 4.3.8.RELEASE, 4.3.6.RELEASE, 4.3.4.RELEASE, 4.3.2.RELEASE (Show all) Patch → 6.1.14
CVE-2018-11040 Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests. 4.3.0.RELEASE, 5.0.1.RELEASE, 5.0.6.RELEASE, 4.3.16.RELEASE, 4.3.15.RELEASE, 4.3.14.RELEASE, 4.3.12.RELEASE, 4.3.10.RELEASE (Show all) Patch → 6.1.14
CVE-2018-11039 Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack. 4.3.0.RELEASE, 5.0.1.RELEASE, 5.0.6.RELEASE, 4.3.16.RELEASE, 4.3.15.RELEASE, 4.3.14.RELEASE, 4.3.12.RELEASE, 4.3.10.RELEASE (Show all) Patch → 6.1.14
CVE-2016-9878 An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks. 4.2.0.RELEASE, 3.2.8.RELEASE, 3.2.7.RELEASE, 3.2.5.RELEASE, 3.2.12.RELEASE, 3.2.11.RELEASE, 3.2.3.RELEASE, 3.2.2.RELEASE (Show all) Patch → 6.1.14
CVE-2016-5007 Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring Framework provides richer features with regards to pattern matching as well as by the fact that pattern matching in each Spring Security and the Spring Framework can easily be customized creating additional differences. 4.1.6.RELEASE, 4.2.0.RELEASE, 4.1.5.RELEASE, 4.0.3.RELEASE, 4.0.1.RELEASE, 4.1.1.RELEASE, 4.1.2.RELEASE, 4.0.7.RELEASE (Show all) Patch → 6.1.14
CVE-2015-5211 Under some situations, the Spring Framework 4.2.0 to 4.2.1, 4.0.0 to 4.1.7, 3.2.0 to 3.2.14 and older unsupported versions is vulnerable to a Reflected File Download (RFD) attack. The attack involves a malicious user crafting a URL with a batch script extension that results in the response being downloaded rather than rendered and also includes some input reflected in the response. 4.1.6.RELEASE, 4.2.0.RELEASE, 4.1.5.RELEASE, 4.0.3.RELEASE, 4.0.1.RELEASE, 4.1.1.RELEASE, 4.1.2.RELEASE, 4.0.7.RELEASE (Show all) Patch → 6.1.14
CVE-2015-3192 Pivotal Spring Framework before 3.2.14 and 4.x before 4.1.7 do not properly process inline DTD declarations when DTD is not entirely disabled, which allows remote attackers to cause a denial of service (memory consumption and out-of-memory errors) via a crafted XML file. 4.1.6.RELEASE, 4.1.5.RELEASE, 4.0.3.RELEASE, 4.0.1.RELEASE, 4.1.1.RELEASE, 4.1.2.RELEASE, 4.0.7.RELEASE, 3.2.8.RELEASE (Show all) Patch → 6.1.14
CVE-2015-0201 The Java SockJS client in Pivotal Spring Framework 4.1.x before 4.1.5 generates predictable session ids, which allows remote attackers to send messages to other sessions via unspecified vectors. 4.1.1.RELEASE, 4.1.2.RELEASE, 4.1.0.RELEASE, 4.1.4.RELEASE, 4.1.3.RELEASE Patch → 6.1.14
CVE-2014-3578 Directory traversal vulnerability in Pivotal Spring Framework 3.x before 3.2.9 and 4.0 before 4.0.5 allows remote attackers to read arbitrary files via a crafted URL. 4.0.3.RELEASE, 4.0.1.RELEASE, 3.2.8.RELEASE, 3.2.7.RELEASE, 3.2.5.RELEASE, 3.2.3.RELEASE, 3.2.2.RELEASE, 3.2.1.RELEASE (Show all) Patch → 6.1.14
CVE-2011-2894 Spring Framework 3.0.0 through 3.0.5, Spring Security 3.0.0 through 3.0.5 and 2.0.0 through 2.0.6, and possibly other versions deserialize objects from untrusted sources, which allows remote attackers to bypass intended security restrictions and execute untrusted code by (1) serializing a java.lang.Proxy instance and using InvocationHandler, or (2) accessing internal AOP interfaces, as demonstrated using deserialization of a DefaultListableBeanFactory instance to execute arbitrary commands via the java.lang.Runtime class. 3.0.2.RELEASE, 3.0.4.RELEASE, 3.0.1.RELEASE, 3.0.3.RELEASE, 3.0.5.RELEASE, 3.0.0.RELEASE Patch → 6.1.14
CVE-2011-2730 VMware SpringSource Spring Framework before 2.5.6.SEC03, 2.5.7.SR023, and 3.x before 3.0.6, when a container supports Expression Language (EL), evaluates EL expressions in tags twice, which allows remote attackers to obtain sensitive information via a (1) name attribute in a (a) spring:hasBindErrors tag; (2) path attribute in a (b) spring:bind or (c) spring:nestedpath tag; (3) arguments, (4) code, (5) text, (6) var, (7) scope, or (8) message attribute in a (d) spring:message or (e) spring:theme tag; or (9) var, (10) scope, or (11) value attribute in a (f) spring:transform tag, aka "Expression Language Injection." 3.0.2.RELEASE, 3.0.4.RELEASE, 3.0.1.RELEASE, 3.0.3.RELEASE, 2.5.6.SEC02, 2.5.6.SEC01, 2.5.5, 2.5.4 (Show all) Patch → 6.1.14
CVE-2010-1622 SpringSource Spring Framework 2.5.x before 2.5.6.SEC02, 2.5.7 before 2.5.7.SR01, and 3.0.x before 3.0.3 allows remote attackers to execute arbitrary code via an HTTP request containing class.classLoader.URLs[0]=jar: followed by a URL of a crafted .jar file. 3.0.2.RELEASE, 2.5.6.SEC03, 3.0.1.RELEASE, 2.5.6.SEC01, 2.5.6, 2.5.5, 2.5.4, 2.5.3 (Show all) Patch → 6.1.14
CVE-2009-1190 Algorithmic complexity vulnerability in the java.util.regex.Pattern.compile method in Sun Java Development Kit (JDK) before 1.6, when used with spring.jar in SpringSource Spring Framework 1.1.0 through 2.5.6 and 3.0.0.M1 through 3.0.0.M2 and dm Server 1.0.0 through 1.0.2, allows remote attackers to cause a denial of service (CPU consumption) via serializable data with a long regex string containing multiple optional groups, a related issue to CVE-2004-2540. 2.5.6.SEC03, 2.5.6.SEC02, 2.5.6.SEC01, 2.5.6, 2.5.5, 2.5.4, 2.5.3, 2.0.7 (Show all) Patch → 6.1.14

Instantly see if these Spring Core vulnerabilities affect your code.

Scan for Free

Dependencies

Packages using versions of Spring Core affected by its vulnerabilities

Dependent Packages
org.springframework:spring-jcl:6.2.1