Spring Security Advisories

RSS feed

This page lists Spring advisories.

CVE-2022-22978: Authorization Bypass in RegexRequestMatcher

HIGH | MAY 16, 2022 | CVE-2022-22978

Description

In Spring Security versions 5.4.10, 5.5.6, and 5.6.3 and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers.

Applications using RegexRequestMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.

Affected Spring Products and Versions

  • Spring Security
    • 5.4.x prior to 5.4.11
    • 5.5.x prior to 5.5.7
    • 5.6.x prior to 5.6.4
    • Earlier unsupported versions

Mitigation

Users should update to a version that includes fixes. 5.5.x users should upgrade to 5.5.7 or greater. 5.6.x users should upgrade to 5.6.4 or greater. Releases that have fixed this issue include:

  • Spring Security
    • 5.4.11+
    • 5.5.7+
    • 5.6.4+

CVE-2022-22970: Spring Framework DoS via Data Binding to MultipartFile or Servlet Part

MEDIUM | MAY 11, 2022 | CVE-2022-22970

Description

A Spring MVC or Spring WebFlux application that handles file uploads is vulnerable to DoS attack if it relies on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.

Affected Spring Products and Versions

  • Spring Framework
    • 5.3.0 to 5.3.19
    • 5.2.0 to 5.2.21
    • Older, unsupported versions are also affected

CVE-2022-22971: Spring Framework DoS with STOMP over WebSocket

MEDIUM | MAY 11, 2022 | CVE-2022-22971

Description

A Spring application with a STOMP over WebSocket endpoint is vulnerable to a denial of service attack by an authenticated user.

Affected Spring Products and Versions

  • Spring Framework
    • 5.3.0 to 5.3.19
    • 5.2.0 to 5.2.21
    • Older, unsupported versions are also affected

Mitigation

Users of affected versions should apply the following mitigation: 5.3.x users should upgrade to 5.3.20; 5.2.x users should upgrade to 5.2.22. No other steps are necessary. Releases that have fixed this issue include:

  • Spring Framework
    • 5.3.20

CVE-2022-22969: Denial-of-Service (DoS) in spring-security-oauth2

CRITICAL | APRIL 21, 2022 | CVE-2022-22969

Description

Spring Security OAuth versions 2.5.x prior to 2.5.2 and older unsupported versions are susceptible to a Denial-of-Service (DoS) attack via the initiation of the Authorization Request in an OAuth 2.0 Client application. A malicious user or attacker…

CVE-2022-22968: Spring Framework Data Binding Rules Vulnerability

LOW | APRIL 13, 2022 | CVE-2022-22968

Description

In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper…

CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+

CRITICAL | MARCH 31, 2022 | CVE-2022-22965

Description

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

These are the prerequisites for the exploit:

  • JDK 9 or higher
  • Apache Tomcat as the Servlet container
  • Packaged as WAR
  • spring-webmvc or spring-webflux dependency

Affected Spring Products and Versions

  • Spring Framework
    • 5.3.0 to 5.3.17
    • 5.2.0 to 5.2.19
    • Older, unsupported versions are also affected

Mitigation

Users of affected versions should apply the following mitigation: 5.3.x users should upgrade to 5.3.18+, 5.2.x users should upgrade to 5.2.20+. No other steps are necessary. There are other…

CVE-2022-22950: Spring Expression DoS Vulnerability

MEDIUM | MARCH 28, 2022 | CVE-2022-22950

Description

In Spring Framework versions 5.3.0 - 5.3.16, 5.2.0 - 5.2.19, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.

Affected Spring Products and…

CVE-2022-22946: Spring Cloud Gateway HTTP2 Insecure TrustManager

MEDIUM | MARCH 01, 2022 | CVE-2022-22946

Description

Applications using Spring Cloud Gateway that are configured to enable HTTP2 and no key store or trusted certificates are set will be configured to use an insecure TrustManager. This makes the gateway able to connect to remote services with invalid…

CVE-2022-22947: Spring Cloud Gateway Code Injection Vulnerability

CRITICAL | MARCH 01, 2022 | CVE-2022-22947

Description

Applications using Spring Cloud Gateway are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. A remote attacker could make a maliciously crafted request that could allow arbitrary remote…

Reporting a vulnerability

To report a security vulnerability for a project within the Spring portfolio, see the Security Policy

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all