MEDIUM | FEBRUARY 11, 2021 | CVE-2021-22113
Description Applications using the “Sensitive Headers” functionality in Spring Cloud Netflix Zuul 2.2.6.RELEASE and below may be vulnerable to bypassing the “Sensitive Headers” restriction when executing requests with specially constructed URLs. Applications…
MEDIUM | JANUARY 25, 2021 | CVE-2020-5427
Description In Spring Cloud Data Flow, versions 2.6.x prior to 2.6.5, versions 2.5.x prior 2.5.4, an application is vulnerable to SQL injection when requesting task execution. Affected Spring Products and Versions Mitigation Users should upgrade to 2.5.4 and…
LOW | JANUARY 25, 2021 | CVE-2020-5428
Description In applications using Spring Cloud Task 2.2.4.RELEASE and below, may be vulnerable to SQL injection when exercising certain lookup queries in the TaskExplorer. Affected Spring Products and Versions Mitigation Users should upgrade to 2.2.5 and…
HIGH | SEPTEMBER 17, 2020 | CVE-2020-5421
Description In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a…
HIGH | AUGUST 04, 2020 | CVE-2020-5412
Description Spring Cloud Netflix, versions 2.2.x prior to 2.2.4, versions 2.1.x prior to 2.1.6, and older unsupported versions allow applications to use the Hystrix Dashboard proxy.stream endpoint to make requests to any server reachable by the server hosting…
LOW | JULY 23, 2020 | CVE-2020-5413
Description Spring Integration framework provides Kryo Codec implementations as an alternative for Java (de)serialization. When Kryo is configured with default options, all unregistered classes are resolved on demand. This leads to the "deserialization gadgets…
LOW | JUNE 10, 2020 | CVE-2020-5411
Description Affected Spring Products and Versions Mitigation Users of an affected version should upgrade to 4.2.3 or later. Releases that have fixed this issue include:Spring Batch4.2.3 Credit This issue was identified and responsibly reported by Srikanth…
HIGH | JUNE 01, 2020 | CVE-2020-5410
Description Spring Cloud Config, versions 2.2.x prior to 2.2.3, versions 2.1.x prior to 2.1.9, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker…
MEDIUM | MAY 07, 2020 | CVE-2020-5407
Description Spring Security versions 5.2.x prior to 5.2.4 and 5.3.x prior to 5.3.2 contain a signature wrapping vulnerability during SAML response validation. When using the spring-security-saml2-service-provider component, a malicious user can carefully…
MEDIUM | MAY 07, 2020 | CVE-2020-5408
Description Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor…
