MEDIUM | SEPTEMBER 19, 2022 | CVE-2022-31679
Applications that allow HTTP PATCH access to resources exposed by Spring Data REST in versions 3.6.0 - 3.6.5, 3.7.0 - 3.7.2, and older unsupported versions, if an attacker knows about the structure of the underlying domain model, they can craft…
HIGH | JUNE 20, 2022 | CVE-2022-22980
A Spring Data MongoDB application is vulnerable to SpEL Injection when using @Query or @Aggregation-annotated query methods with SpEL expressions that contain query parameter placeholders for value binding if the input is not sanitized.Specifically…
HIGH | JUNE 15, 2022 | CVE-2022-22979
In Spring Cloud Function versions 3.2.5 and older unsupported versions, it is possible for a user who directly interacts with framework provided lookup functionality to cause denial of service condition due to the caching issue in Function Catalog…
MEDIUM | MAY 17, 2022 | CVE-2022-22976
Affected Spring Products and Versions Mitigation Credit This issue was identified and responsibly reported by Eyal Kaspi. References https://docs.spring.io/spring-security/site/docs/current/reference/html5/#authentication-password-storage https…
HIGH | MAY 16, 2022 | CVE-2022-22978
Affected Spring Products and Versions Mitigation Users should update to a version that includes fixes. 5.5.x users should upgrade to 5.5.7 or greater. 5.6.x users should upgrade to 5.6.4 or greater. Releases that have fixed this issue include…
MEDIUM | MAY 11, 2022 | CVE-2022-22970
A Spring MVC or Spring WebFlux application that handles file uploads is vulnerable to DoS attack if it relies on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object. Affected Spring Products and Versions…
MEDIUM | MAY 11, 2022 | CVE-2022-22971
A Spring application with a STOMP over WebSocket endpoint is vulnerable to a denial of service attack by an authenticated user. Affected Spring Products and Versions Mitigation Users of affected versions should apply the following mitigation: 5.3.x…
CRITICAL | APRIL 21, 2022 | CVE-2022-22969
Spring Security OAuth versions 2.5.x prior to 2.5.2 and older unsupported versions are susceptible to a Denial-of-Service (DoS) attack via the initiation of the Authorization Request in an OAuth 2.0 Client application. A malicious user or attacker…
LOW | APRIL 13, 2022 | CVE-2022-22968
In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper…
CRITICAL | MARCH 31, 2022 | CVE-2022-22965
Affected Spring Products and Versions Mitigation Users of affected versions should apply the following mitigation: 5.3.x users should upgrade to 5.3.18+, 5.2.x users should upgrade to 5.2.20+. No other steps are necessary. There are other…
