VMware

Spring Framework

72 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
  • EPSS 1.7%
  • Veröffentlicht 25.05.2017 17:29:00
  • Zuletzt bearbeitet 13.05.2026 00:24:29

When processing user provided XML documents, the Spring Framework 4.0.0 to 4.0.4, 3.0.0 to 3.2.8, and possibly earlier unsupported versions did not disable by default the resolution of URI references in a DTD declaration. This enabled an XXE attack.

Exploit
  • EPSS 2.57%
  • Veröffentlicht 25.05.2017 17:29:00
  • Zuletzt bearbeitet 13.05.2026 00:24:29

Under some situations, the Spring Framework 4.2.0 to 4.2.1, 4.0.0 to 4.1.7, 3.2.0 to 3.2.14 and older unsupported versions is vulnerable to a Reflected File Download (RFD) attack. The attack involves a malicious user crafting a URL with a batch scrip...

  • EPSS 2.84%
  • Veröffentlicht 25.05.2017 17:29:00
  • Zuletzt bearbeitet 13.05.2026 00:24:29

Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching me...

  • EPSS 5.64%
  • Veröffentlicht 29.12.2016 09:59:00
  • Zuletzt bearbeitet 06.05.2026 22:30:45

An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks.

  • EPSS 2.56%
  • Veröffentlicht 12.07.2016 19:59:00
  • Zuletzt bearbeitet 06.05.2026 22:30:45

Pivotal Spring Framework before 3.2.14 and 4.x before 4.1.7 do not properly process inline DTD declarations when DTD is not entirely disabled, which allows remote attackers to cause a denial of service (memory consumption and out-of-memory errors) vi...

  • EPSS 1.9%
  • Veröffentlicht 10.03.2015 14:59:04
  • Zuletzt bearbeitet 06.05.2026 22:30:45

The Java SockJS client in Pivotal Spring Framework 4.1.x before 4.1.5 generates predictable session ids, which allows remote attackers to send messages to other sessions via unspecified vectors.

  • EPSS 10.05%
  • Veröffentlicht 20.11.2014 17:50:00
  • Zuletzt bearbeitet 06.05.2026 22:30:45

Directory traversal vulnerability in Pivotal Spring Framework 3.0.4 through 3.2.x before 3.2.12, 4.0.x before 4.0.8, and 4.1.x before 4.1.2 allows remote attackers to read arbitrary files via unspecified vectors, related to static resource handling.

  • EPSS 91.35%
  • Veröffentlicht 17.04.2014 14:55:06
  • Zuletzt bearbeitet 06.05.2026 22:30:45

The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct ...

  • EPSS 90.46%
  • Veröffentlicht 26.01.2014 16:58:10
  • Zuletzt bearbeitet 29.04.2026 01:13:23

The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CS...

Exploit
  • EPSS 3.44%
  • Veröffentlicht 23.01.2014 21:55:05
  • Zuletzt bearbeitet 29.04.2026 01:13:23

The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and c...