HIGH | NOVEMBER 17, 2021 | CVE-2021-22053
Description Applications using both spring-cloud-netflix-hystrix-dashboard and spring-boot-starter-thymeleaf expose a way to execute code submitted within the request URI path during the resolution of view templates. When a request is made at /hystrix/monitor…
HIGH | NOVEMBER 04, 2021 | CVE-2021-22051
Description Applications using Spring Cloud Gateway are vulnerable to specifically crafted requests that could make an extra request on downstream services. Affected Spring Products and Versions Mitigation Users of affected versions should apply the following…
HIGH | OCTOBER 26, 2021 | CVE-2021-22044
Description Applications using type-level @RequestMappingannotations over Feign client interfaces, can be involuntarily exposing endpoints corresponding to @RequestMapping-annotated interface methods. Although a response is not returned for a request sent in…
MEDIUM | OCTOBER 26, 2021 | CVE-2021-22047
Description In Spring Data REST versions 3.4.0 - 3.4.13, 3.5.0 - 3.5.5, and older unsupported versions, HTTP resources implemented by custom controllers using a configured base API path and a controller type-level request mapping are additionally exposed under…
MEDIUM | OCTOBER 26, 2021 | CVE-2021-22096
Description In Spring Framework versions 5.3.0 - 5.3.10, 5.2.0 - 5.2.17, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries. Affected Spring Products and Versions Mitigation…
MEDIUM | OCTOBER 26, 2021 | CVE-2021-22097
Description The Spring AMQP Message object, in its toString() method, will deserialize a body for a message with content type application/x-java-serialized-object. Classes in the java.lang and java.util packages are trusted.It is possible to construct a…
CRITICAL | JUNE 28, 2021 | CVE-2021-22119
Description Spring Security versions 5.5.x prior to 5.5.1, 5.4.x prior to 5.4.7, 5.3.x prior to 5.3.10 and 5.2.x prior to 5.2.11 are susceptible to a Denial-of-Service (DoS) attack via the initiation of the Authorization Request in an OAuth 2.0 Client Web and…
MEDIUM | MAY 25, 2021 | CVE-2021-22118
Description Affected Spring Products and Versions Mitigation Users of affected versions should apply the following mitigation. 5.3.x users should upgrade to 5.3.7. 5.2.x users should upgrade to 5.2.15. No other steps are necessary. Releases that have fixed…
LOW | FEBRUARY 26, 2021 | CVE-2021-22114
Description spring-integration-zip , versions prior to 1.0.4, exposes an arbitrary file write vulnerability, that can be achieved using a specially crafted zip archive (affects other archives as well, bzip2, tar, xz, war, cpio, 7z), that holds path traversal…
LOW | FEBRUARY 19, 2021 | CVE-2021-22112
Description Spring Security versions 5.4.0 to 5.4.3, 5.3.0.RELEASE to 5.3.8.RELEASE, 5.2.0.RELEASE to 5.2.8.RELEASE, and older unsupported versions can fail to save the SecurityContext if it is changed more than once in a single request. The SecurityContext…
