This page lists Spring advisories.
CVE-2024-38816: Path traversal vulnerability in functional web frameworks
CVE-2024-38807: Signature Forgery Vulnerability in Spring Boot's Loader
CVE-2024-38810: Missing Authorization When Using @AuthorizeReturnObject
Description
Applications using @AuthorizeReturnObject
or the Spring Security produced AuthorizationAdvisorProxyFactory
@Bean
to wrap objects may not have all security advice applied.
When method security advice is not applied, it means that annotations like @PreFilter
and @PreAuthorize
may take no affect…
CVE-2024-38808: Spring Expression DoS Vulnerability
CVE-2024-38809: Spring Framework DoS via conditional HTTP request
CVE-2024-37084: Remote code execution in Spring Cloud Data Flow
CVE-2024-22271: Spring Cloud Function Web DOS Vulnerability
CVE-2024-22263: Arbitrary File Write Vulnerability in Spring Cloud Data Flow
CVE-2024-22262: Spring Framework URL Parsing with Host Validation (3rd report)
Description
Applications that use UriComponentsBuilder
to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect attack or to a SSRF attack if the URL…
Reporting a vulnerability
To report a security vulnerability for a project within the Spring portfolio, see the Security Policy