Security Advisories

CVE-2017-8028: Spring-LDAP authentication with userSearch and STARTTLS allows authentication with arbitrary password

HIGH | OCTOBER 16, 2017 | CVE-2017-8028

Description Affected Spring Products and Versions Mitigation Credit This vulnerability was responsibly reported by Tobias Schneider. References https://github.com/spring-projects/spring-ldap/pull/432 https://github.com/spring-projects/spring-ldap/issues/43…

CVE-2017-8046: RCE in PATCH requests in Spring Data REST

CRITICAL | SEPTEMBER 21, 2017 | CVE-2017-8046

Description Affected Spring Products and Versions Mitigation Credit This vulnerability was responsibly reported by Man Yue Mo from Semmle and lgtm.com. References https://jira.spring.io/browse/DATAREST-1127 https://jira.spring.io/browse/DATAREST-1152 History…

CVE-2017-8045: Remote code execution in spring-amqp

HIGH | SEPTEMBER 19, 2017 | CVE-2017-8045

Description Affected Spring Products and Versions Mitigation Credit This vulnerability was responsibly reported by Man Yue Mo from Semmle and lgtm.com. References https://jira.spring.io/browse/AMQP-766 https://docs.spring.io/spring-amqp/docs/1.6.11.RELEASE…

CVE-2017-8039: Data Binding Expression Vulnerability in Spring Web Flow

MEDIUM | SEPTEMBER 15, 2017 | CVE-2017-8039

Description Affected Spring Products and Versions Mitigation Credit The issue was identified by security researcher he1renyagao. References Issue tracker ticket

CVE-2016-9879 Encoded "/" in path variables

HIGH | DECEMBER 28, 2016 | CVE-2016-9879

Description Affected Spring Products and Versions Mitigation Credit The issue was identified by Shumpei Asahara & Yuji Ito from NTT DATA Corporation and responsibly reported to Pivotal. References http://www.securityfocus.com/archive/1/archive/1/514517/100/…

CVE-2016-9878 Directory Traversal in the Spring Framework ResourceServlet

LOW | DECEMBER 21, 2016 | CVE-2016-9878