Security Advisories

CVE-2018-15758: Privilege Escalation in spring-security-oauth2

CRITICAL | OCTOBER 16, 2018 | CVE-2018-15758

Description Affected Spring Products and Versions Mitigation Credit This issue was identified and responsibly reported by Alvaro Muñoz (@pwntester) from Micro Focus. References Spring Security OAuth Read more

CVE-2018-11087: RabbitMQ (Spring-AMQP) Host name verification

CRITICAL | SEPTEMBER 11, 2018 | CVE-2018-11087

Description Affected Spring Products and Versions Mitigation Credit This issue was identified and responsibly reported by Peter Stöckli of Alphabot Security, Switzerland. History 2018-09-11: Initial vulnerability report published.

CVE-2018-11039: Cross Site Tracing (XST) with Spring Framework

MEDIUM | JUNE 14, 2018 | CVE-2018-11039

Description Affected Spring Products and Versions Mitigation Credit This issue was identified and reported by Mariusz Łuciów, Ocado Technology. History 2018-06-14: Initial vulnerability report published.

CVE-2018-11040: JSONP enabled by default in MappingJackson2JsonView

MEDIUM | JUNE 14, 2018 | CVE-2018-11040

Description Affected Spring Products and Versions Mitigation Credit This issue was identified and reported by Meyyalagan Chandrasekaran. References “Deprecate JSONP support and update…

CVE-2018-1263: Unsafe Unzip with spring-integration-zip

CRITICAL | MAY 11, 2018 | CVE-2018-1263

Description Affected Spring Products and Versions Mitigation Credit This issue was identified and responsibly reported by the Snyk Security Research Team and Abago Forgans. History 2018-05-11: Initial vulnerability report published

CVE-2018-1258: Unauthorized Access with Spring Security Method Security

CRITICAL | MAY 09, 2018 | CVE-2018-1258

Description Affected Spring Products and Versions Mitigation Credit This issue was identified internally by the Spring Security Team. History 2018-05-09: Initial vulnerability report published 2018-07-30: Clarifications on impacted versions

CVE-2018-1260: Remote Code Execution with spring-security-oauth2

CRITICAL | MAY 09, 2018 | CVE-2018-1260

Description Affected Spring Products and Versions Mitigation Credit This issue was identified and responsibly reported by Philippe Arteau from GoSecure. References Spring Security OAuth

CVE-2018-1261: Unsafe Unzip with spring-integration-zip

CRITICAL | MAY 09, 2018 | CVE-2018-1261

Description Affected Spring Products and Versions Mitigation Credit This issue was identified and responsibly reported by the Snyk Security Research Team. History 2018-05-09: Initial vulnerability report published

CVE-2018-1259: XXE with Spring Data’s XMLBeam integration

HIGH | MAY 09, 2018 | CVE-2018-1259

Description Affected Spring Products and Versions Mitigation Credit This issue was identified and responsibly reported by Abago Forgans. References

Spring Security Advisories

CVE-2018-15758: Privilege Escalation in spring-security-oauth2

CVE-2018-11087: RabbitMQ (Spring-AMQP) Host name verification

CVE-2018-11039: Cross Site Tracing (XST) with Spring Framework

CVE-2018-11040: JSONP enabled by default in MappingJackson2JsonView

CVE-2018-1263: Unsafe Unzip with spring-integration-zip

CVE-2018-1258: Unauthorized Access with Spring Security Method Security

CVE-2018-1260: Remote Code Execution with spring-security-oauth2

CVE-2018-1261: Unsafe Unzip with spring-integration-zip

CVE-2018-1259: XXE with Spring Data’s XMLBeam integration

Reporting a vulnerability

Get ahead

Get support

Upcoming events