MEDIUM | MAY 11, 2022 | CVE-2022-22971
Description A Spring application with a STOMP over WebSocket endpoint is vulnerable to a denial of service attack by an authenticated user. Affected Spring Products and Versions Mitigation Users of affected versions should apply the following mitigation: 5.3.x…
CRITICAL | APRIL 21, 2022 | CVE-2022-22969
Description Spring Security OAuth versions 2.5.x prior to 2.5.2 and older unsupported versions are susceptible to a Denial-of-Service (DoS) attack via the initiation of the Authorization Request in an OAuth 2.0 Client application. A malicious user or attacker…
LOW | APRIL 13, 2022 | CVE-2022-22968
Description In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper…
CRITICAL | MARCH 31, 2022 | CVE-2022-22965
Description Affected Spring Products and Versions Mitigation Users of affected versions should apply the following mitigation: 5.3.x users should upgrade to 5.3.18+, 5.2.x users should upgrade to 5.2.20+. No other steps are necessary. There are other…
CRITICAL | MARCH 29, 2022 | CVE-2022-22963
Description In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and…
MEDIUM | MARCH 28, 2022 | CVE-2022-22950
Description In Spring Framework versions 5.3.0 - 5.3.16, 5.2.0 - 5.2.19, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition. Affected Spring Products and…
MEDIUM | MARCH 01, 2022 | CVE-2022-22946
Description Applications using Spring Cloud Gateway that are configured to enable HTTP2 and no key store or trusted certificates are set will be configured to use an insecure TrustManager. This makes the gateway able to connect to remote services with invalid…
CRITICAL | MARCH 01, 2022 | CVE-2022-22947
Description Applications using Spring Cloud Gateway are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. A remote attacker could make a maliciously crafted request that could allow arbitrary remote…
MEDIUM | JANUARY 05, 2022 | CVE-2021-22060
Description In Spring Framework versions 5.3.0 - 5.3.13, 5.2.0 - 5.2.18, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries. This is a follow-up to CVE-2021-22096 that protects…
MEDIUM | NOVEMBER 29, 2021 | CVE-2021-22095
Description The Spring AMQP Message object, in its toString() method, will create a new String object from the message body, regardless of its size.This can cause an OOM Error with a large message body. Affected Spring Products and Versions Mitigation Users of…
