Security Advisories

CVE-2017-8046: RCE in PATCH requests in Spring Data REST

CRITICAL | SEPTEMBER 21, 2017 | CVE-2017-8046

Description Affected Spring Products and Versions Mitigation Credit This vulnerability was responsibly reported by Man Yue Mo from Semmle and lgtm.com. References https://jira.spring.io/browse/DATAREST-1127 https://jira.spring.io/browse/DATAREST-1152 History…

CVE-2017-8045: Remote code execution in spring-amqp

HIGH | SEPTEMBER 19, 2017 | CVE-2017-8045

Description Affected Spring Products and Versions Mitigation Credit This vulnerability was responsibly reported by Man Yue Mo from Semmle and lgtm.com. References https://jira.spring.io/browse/AMQP-766 https://docs.spring.io/spring-amqp/docs/1.6.11.RELEASE…

CVE-2017-8039: Data Binding Expression Vulnerability in Spring Web Flow

MEDIUM | SEPTEMBER 15, 2017 | CVE-2017-8039

Description Affected Spring Products and Versions Mitigation Credit The issue was identified by security researcher he1renyagao. References Issue tracker ticket

CVE-2016-9879 Encoded "/" in path variables

HIGH | DECEMBER 28, 2016 | CVE-2016-9879

Description Affected Spring Products and Versions Mitigation Credit The issue was identified by Shumpei Asahara & Yuji Ito from NTT DATA Corporation and responsibly reported to Pivotal. References http://www.securityfocus.com/archive/1/archive/1/514517/100/…

CVE-2016-9878 Directory Traversal in the Spring Framework ResourceServlet

LOW | DECEMBER 21, 2016 | CVE-2016-9878

Description Affected Spring Products and Versions Mitigation Credit The issue was identified by Shumpei Asahara & Yuji Ito from NTT DATA Corporation and responsibly reported to Pivotal. References

Spring Security Advisories

CVE-2017-8046: RCE in PATCH requests in Spring Data REST

CVE-2017-8045: Remote code execution in spring-amqp

CVE-2017-8039: Data Binding Expression Vulnerability in Spring Web Flow

CVE-2016-9879 Encoded "/" in path variables

CVE-2016-9878 Directory Traversal in the Spring Framework ResourceServlet