This page lists Spring advisories.
CVE-2022-22968: Spring Framework Data Binding Rules Vulnerability
CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+
Description
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
These are the prerequisites for the exploit:
- JDK 9 or higher
- Apache Tomcat as the Servlet container
- Packaged as WAR
- spring-webmvc or spring-webflux dependency
Affected Spring Products and Versions
- Spring Framework
- 5.3.0 to 5.3.17
- 5.2.0 to 5.2.19
- Older, unsupported versions are also affected
Mitigation
Users of affected versions should apply the following mitigation: 5.3.x users should upgrade to 5.3.18+, 5.2.x users should upgrade to 5.2.20+. No other steps are necessary. There are other…
CVE-2022-22963: Remote code execution in Spring Cloud Function by malicious Spring Expression
CVE-2022-22950: Spring Expression DoS Vulnerability
CVE-2022-22946: Spring Cloud Gateway HTTP2 Insecure TrustManager
CVE-2022-22947: Spring Cloud Gateway Code Injection Vulnerability
CVE-2021-22060: Additional Log Injection in Spring Framework (follow-up to CVE-2021-22096)
Description
In Spring Framework versions 5.3.0 - 5.3.13, 5.2.0 - 5.2.18, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries. This is a follow-up to CVE-2021-22096 that protects…
CVE-2021-22095: Spring-AMQP Remote Denial of Service - Out of Memory Error with a Large Message Body
CVE-2021-22053: Spring Cloud Netflix Hystrix Dashboard template resolution vulnerability
Reporting a vulnerability
To report a security vulnerability for a project within the Spring portfolio, see the Security Policy