Homepage About Snyk

Open Source Vulnerability Database

The most comprehensive, accurate, and timely database for open source vulnerabilities.

cargo logo

Remote Code Execution

Affecting org.springframework:spring-beans package, versions [ ,5.2.20) , [5.3.0, 5.3.18)

How to fix?

Upgrade org.springframework:spring-beans to version 5.2.20, 5.3.18 or higher.

0.0
critical
0.0

Vulnerabilities from the last week

Malicious Package

0.0
Affects

middleware-serde * Open this link in a new tab

middleware-serde is a malicious package. The package's name is based on existing repositories, namespaces, or components used by popular companies in an effort to trick employees into downloading it, also known as 'dependency confusion'.

Open Redirect

0.0
Affects

grafana-django-saml2-auth [,3.6.0) Open this link in a new tab

grafana-django-saml2-auth is a Django SAML2 Authentication Made Easy.

Affected versions of this package are vulnerable to Open Redirect due to missing validation of the next URL in the login flow.

SpEL Expression injection

0.0
Affects

org.springframework.data:spring-data-mongodb [,3.3.5) , [3.4.0,3.4.1) Open this link in a new tab

Affected versions of this package are vulnerable to SpEL Expression injection when using @Query or @Aggregation-annotated query methods with SpEL expressions. Exploiting this vulnerability is possible if the query parameter placeholders contain unsanitized value binding.

Notes:

Applications are not affected if one of the followings is true:

  1. The annotated repository query or aggregation method does not contain expressions

  2. The annotated repository query or aggregation method does not use the parameter placeholder syntax within the expression

  3. The user-supplied input is sanitized by the application

  4. The repository is configured to use a QueryMethodEvaluationContextProvider that limits SpEL usage

Recent vulnerabilities disclosed by Snyk

    • H

    Denial of Service (DoS) in @discordjs/opus (npm)

    Discovered by Cristian-Alexandru Staicu
    16 Jun 2022
    • M

    Out-of-bounds Read in fast-string-search (npm)

    Discovered by Cristian-Alexandru Staicu
    16 Jun 2022
    • H

    Prototype Pollution in mout (npm)

    Discovered by P.Adithya Srinivas, Masudul Hasan Masud Bhuiyan, Cristian-Alexandru Staicu
    15 Jun 2022
    • H

    Prototype Pollution in deep-get-set (npm)

    Discovered by P.Adithya Srinivas, Masudul Hasan Masud Bhuiyan, Cristian-Alexandru Staicu
    15 Jun 2022
    • H

    Denial of Service (DoS) in fast-string-search (npm)

    Discovered by Cristian-Alexandru Staicu
    15 Jun 2022

We’ve disclosed
1175
vulnerabilities

by Snyk Security
Researchers

See all Snyk disclosed vulnerabilities
Report a new vulnerability

About Snyk

Snyk is a developer security platform. Integrating directly into development tools, workflows, and automation pipelines, Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code. Supported by industry-leading application and security intelligence, Snyk puts security expertise in any developer's toolkit.

A shield with a tick icon inside, symbolising security