MEDIUM | NOVEMBER 03, 2022 | CVE-2022-31691
Description Spring Tools 4 for Eclipse version 4.16.0 and below as well as VSCode extensions such as Spring Boot Tools, Concourse CI Pipeline Editor, Bosh Editor and Cloudfoundry Manifest YML Support version 1.39.0 and below all use Snakeyaml library for YAML…
HIGH | OCTOBER 31, 2022 | CVE-2022-31690
Description Spring Security, versions 5.7 prior to 5.7.5, and 5.6 prior to 5.6.9, and older unsupported versions could be susceptible to a privilege escalation under certain conditions. A malicious user or attacker can modify a request initiated by the Client…
HIGH | OCTOBER 31, 2022 | CVE-2022-31692
Description Spring Security, versions 5.7 prior to 5.7.5 and 5.6 prior to 5.6.9 could be susceptible to authorization rules bypass via forward or include dispatcher types.Specifically, an application is vulnerable when all of the following are true:The…
LOW | OCTOBER 19, 2022 | CVE-2022-31684
Description Reactor Netty HTTP Server, in versions 1.0.11 - 1.0.23, may log request headers in some cases of invalid HTTP requests. The logged headers may reveal valid access tokens to those with access to server logs. This may affect only invalid HTTP…
MEDIUM | SEPTEMBER 19, 2022 | CVE-2022-31679
Description Applications that allow HTTP PATCH access to resources exposed by Spring Data REST in versions 3.6.0 - 3.6.5, 3.7.0 - 3.7.2, and older unsupported versions, if an attacker knows about the structure of the underlying domain model, they can craft…
HIGH | JUNE 20, 2022 | CVE-2022-22980
Description A Spring Data MongoDB application is vulnerable to SpEL Injection when using @Query or @Aggregation-annotated query methods with SpEL expressions that contain query parameter placeholders for value binding if the input is not sanitized.Specifically…
HIGH | JUNE 15, 2022 | CVE-2022-22979
Description In Spring Cloud Function versions 3.2.5 and older unsupported versions, it is possible for a user who directly interacts with framework provided lookup functionality to cause denial of service condition due to the caching issue in Function Catalog…
MEDIUM | MAY 17, 2022 | CVE-2022-22976
Description Affected Spring Products and Versions Mitigation Credit This issue was identified and responsibly reported by Eyal Kaspi. References https://docs.spring.io/spring-security/site/docs/current/reference/html5/#authentication-password-storage https…
HIGH | MAY 16, 2022 | CVE-2022-22978
Description Affected Spring Products and Versions Mitigation Users should update to a version that includes fixes. 5.5.x users should upgrade to 5.5.7 or greater. 5.6.x users should upgrade to 5.6.4 or greater. Releases that have fixed this issue include…
MEDIUM | MAY 11, 2022 | CVE-2022-22970
Description A Spring MVC or Spring WebFlux application that handles file uploads is vulnerable to DoS attack if it relies on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object. Affected Spring Products and Versions…
