Security Advisories

CVE-2018-1273: RCE with Spring Data Commons

CRITICAL | APRIL 10, 2018 | CVE-2018-1273

Description Affected Spring Products and Versions Mitigation Credit This issue was identified and responsibly reported by Philippe Arteau, GoSecure Inc. References https://jira.spring.io/browse/DATACMNS-1282 https://github.com/spring-projects/spring-data…

CVE-2018-1274: Denial of Service with Spring Data

CRITICAL | APRIL 10, 2018 | CVE-2018-1274

Description Affected Spring Products and Versions Mitigation Credit This issue was identified and responsibly reported by Yevhenii Hrushka (Yevgeniy Grushka), Fortify Webinspect. References https://jira.spring.io/browse/DATACMNS-1285 https://github.com/spring…

CVE-2018-1275: Address partial fix for CVE-2018-1270

CRITICAL | APRIL 09, 2018 | CVE-2018-1275

Description Affected Spring Products and Versions Mitigation Credit This original issue CVE-2018-1270 was identified and responsibly reported by Alvaro Muñoz (@pwntester), Micro Focus Fortify. The subsequent CVE-2018-1275 partial fix was identified and…

CVE-2018-1271: Directory Traversal with Spring MVC on Windows

HIGH | APRIL 05, 2018 | CVE-2018-1271

Description Affected Spring Products and Versions Mitigation Credit This issue was identified and responsibly reported by Orange Tsai (@orange_8361) from DEVCORE. References Example

CVE-2018-1229: Stored XSS in file upload of Spring Batch Admin

LOW | MARCH 16, 2018 | CVE-2018-1229

Description Affected Spring Products and Versions Mitigation Credit This vulnerability was responsibly reported by Wen Bin Kong. References https://docs.spring.io/spring-batch-admin https://github.com/spring-projects/spring-batch-admin/blob/master/MIGRATION.md…

CVE-2018-1230: Spring Batch Admin vulnerable to Cross Site Request Forgery

MEDIUM | MARCH 16, 2018 | CVE-2018-1230

Description Affected Spring Products and Versions Mitigation Credit This vulnerability was responsibly reported by Wen Bin Kong. References https://docs.spring.io/spring-batch-admin https://github.com/spring-projects/spring-batch-admin/blob/master/MIGRATION.md…

CVE-2018-1196: Symlink privilege escalation attack via Spring Boot launch script

HIGH | JANUARY 30, 2018 | CVE-2018-1196

Description Affected Spring Products and Versions Mitigation Credit This issue was identified and reported by Adam Stephens from Oracle Cloud Operations, UK and responsibly reported to Pivotal. History 2018-01-30: Initial vulnerability report published

CVE-2018-1199: Security bypass with static resources

HIGH | JANUARY 29, 2018 | CVE-2018-1199

Description Affected Spring Products and Versions Mitigation Credit The issue was identified by Macchinetta Framework Development Team from NTT Comware, NTT DATA Corporation, and NTT, and responsibly reported to Pivotal. History 2018-01-29: Initial…

Spring Security Advisories

CVE-2018-1273: RCE with Spring Data Commons

CVE-2018-1274: Denial of Service with Spring Data

CVE-2018-1275: Address partial fix for CVE-2018-1270

CVE-2018-1271: Directory Traversal with Spring MVC on Windows

CVE-2018-1229: Stored XSS in file upload of Spring Batch Admin

CVE-2018-1230: Spring Batch Admin vulnerable to Cross Site Request Forgery

CVE-2018-1196: Symlink privilege escalation attack via Spring Boot launch script

CVE-2018-1199: Security bypass with static resources

Reporting a vulnerability

Get ahead

Get support

Upcoming events