org.springframework:spring-web 3.1.3.RELEASE vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.springframework:spring-web package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
L Improper Handling of Case Sensitivity org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform. Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity due to `String.toLowerCase()` having some Locale dependent exceptions that could potentially result in fields not protected as expected. Note: The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. How to fix Improper Handling of Case Sensitivity? Upgrade `org.springframework:spring-web` to version 6.1.14 or higher.	[,6.1.14)
M Denial of Service (DoS) org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform. Affected versions of this package are vulnerable to Denial of Service (DoS) in the form of improper ETag prefix validation when parsing ETags from the `If-Match` or `If-None-Match` request headers. An attacker can exploit this vulnerability to cause denial of service by sending a maliciously crafted conditional HTTP request. How to fix Denial of Service (DoS)? Upgrade `org.springframework:spring-web` to version 5.3.38, 6.0.23, 6.1.12 or higher.	[,5.3.38)[6.0.0,6.0.23)[6.1.0,6.1.12)
M Open Redirect org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform. Affected versions of this package are vulnerable to Open Redirect when `UriComponentsBuilder` is used to parse an externally provided URL and perform validation checks on the host of the parsed URL. Note: This is the same as CVE-2024-22259 and CVE-2024-22243, but with different input. How to fix Open Redirect? Upgrade `org.springframework:spring-web` to version 5.3.34, 6.0.19, 6.1.6 or higher.	[,5.3.34)[6.0.0,6.0.19)[6.1.0,6.1.6)
H Open Redirect org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform. Affected versions of this package are vulnerable to Open Redirect when using `UriComponentsBuilder` to parse an externally provided `URL` and perform validation checks on the host of the parsed URL. Note: This is the same as CVE-2024-22243, but with different input. How to fix Open Redirect? Upgrade `org.springframework:spring-web` to version 5.3.33, 6.0.18, 6.1.5 or higher.	[,5.3.33)[6.0.0,6.0.18)[6.1.0,6.1.5)
H Open Redirect org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform. Affected versions of this package are vulnerable to Open Redirect when `UriComponentsBuilder` parses an externally provided URL, and the application subsequently uses that URL. If it contains hierarchical components such as path, query, and fragment it may evade validation. How to fix Open Redirect? Upgrade `org.springframework:spring-web` to version 5.3.32, 6.0.17, 6.1.4 or higher.	[,5.3.32)[6.0.0,6.0.17)[6.1.0,6.1.4)
H XML External Entity (XXE) Injection org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform. Affected versions of this package are vulnerable to XML External Entity (XXE) Injection. This is due to not disabling the resolution of URI references by default in a DTD declaration. This occurs only when processing user provided XML documents. How to fix XML External Entity (XXE) Injection? Upgrade `org.springframework:spring-web` to version 3.2.9.RELEASE, 4.0.5.RELEASE or higher.	[3.0.0.RELEASE,3.2.9.RELEASE)[4.0.0.RELEASE,4.0.5.RELEASE)
M XML External Entity (XXE) Injection org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform. Affected versions of this package are vulnerable to XML External Entity (XXE) Injection. The `SourceHttpMessageConverter` processor does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152 and CVE-2013-7315. How to fix XML External Entity (XXE) Injection? Upgrade `org.springframework:spring-web` to version 3.2.4.RELEASE, 4.0.1.RELEASE or higher.	[3.0.0.RELEASE,3.2.4.RELEASE)[4.0.0.RELEASE,4.0.1.RELEASE)
L Cross-site Scripting (XSS) org.springframework:spring-web package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform. Affected versions of this package are vulnerable to Cross-site Scripting (XSS). The `JavaScriptUtils.javaScriptEscape()` method did not escape all characters that are sensitive within either a JS single quoted string, JS double quoted string, or HTML script data context. In most cases this will result in an unexploitable parse error but in some cases it could result in an XSS vulnerability. How to fix Cross-site Scripting (XSS)? Upgrade `org.springframework:spring-web` to version 3.2.2.RELEASE or higher.	[3.0.0.RELEASE,3.2.2.RELEASE)
M XML External Entity (XXE) Injection org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform. Affected versions of this package are vulnerable to XML External Entity (XXE) Injection. The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue. How to fix XML External Entity (XXE) Injection? Upgrade `org.springframework:spring-web` to version 3.2.4, 4.0.0.M2 or higher.	[3,3.2.4)[4-alpha,4.0.0.M2)
M Cross-site Request Forgery (CSRF) `org.springframework:spring-web` Affected versions of this package do not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.	[3.0.0.RELEASE,3.2.8.RELEASE)[4.0.0.RELEASE,4.0.2.RELEASE)
M XML External Entity (XXE) Injection org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform. Affected versions of this package are vulnerable to XML External Entity (XXE) Injection due to not disabling external entity resolution for the `StAX` `XMLInputFactory`. This allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB. NOTE: this issue was SPLIT from CVE-2013-4152 due to different affected versions. How to fix XML External Entity (XXE) Injection? Upgrade `org.springframework:spring-web` to version 3.2.4.RELEASE or higher.	[3.0.0.RELEASE,3.2.4.RELEASE)

Vulnerability

Vulnerable Version

Improper Handling of Case Sensitivity

org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.

Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity due to String.toLowerCase() having some Locale dependent exceptions that could potentially result in fields not protected as expected.

Note: The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive.

How to fix Improper Handling of Case Sensitivity?

Upgrade org.springframework:spring-web to version 6.1.14 or higher.

[,6.1.14)

Denial of Service (DoS)

org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.

Affected versions of this package are vulnerable to Denial of Service (DoS) in the form of improper ETag prefix validation when parsing ETags from the If-Match or If-None-Match request headers. An attacker can exploit this vulnerability to cause denial of service by sending a maliciously crafted conditional HTTP request.

How to fix Denial of Service (DoS)?

Upgrade org.springframework:spring-web to version 5.3.38, 6.0.23, 6.1.12 or higher.

[,5.3.38)[6.0.0,6.0.23)[6.1.0,6.1.12)

Open Redirect

org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.

Affected versions of this package are vulnerable to Open Redirect when UriComponentsBuilder is used to parse an externally provided URL and perform validation checks on the host of the parsed URL.

Note: This is the same as CVE-2024-22259 and CVE-2024-22243, but with different input.

How to fix Open Redirect?

Upgrade org.springframework:spring-web to version 5.3.34, 6.0.19, 6.1.6 or higher.

[,5.3.34)[6.0.0,6.0.19)[6.1.0,6.1.6)

Open Redirect

org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.

Affected versions of this package are vulnerable to Open Redirect when using UriComponentsBuilder to parse an externally provided URL and perform validation checks on the host of the parsed URL.

Note: This is the same as CVE-2024-22243, but with different input.

How to fix Open Redirect?

Upgrade org.springframework:spring-web to version 5.3.33, 6.0.18, 6.1.5 or higher.

[,5.3.33)[6.0.0,6.0.18)[6.1.0,6.1.5)

Open Redirect

org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.

Affected versions of this package are vulnerable to Open Redirect when UriComponentsBuilder parses an externally provided URL, and the application subsequently uses that URL. If it contains hierarchical components such as path, query, and fragment it may evade validation.

How to fix Open Redirect?

Upgrade org.springframework:spring-web to version 5.3.32, 6.0.17, 6.1.4 or higher.

[,5.3.32)[6.0.0,6.0.17)[6.1.0,6.1.4)

XML External Entity (XXE) Injection

org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.

Affected versions of this package are vulnerable to XML External Entity (XXE) Injection. This is due to not disabling the resolution of URI references by default in a DTD declaration. This occurs only when processing user provided XML documents.

How to fix XML External Entity (XXE) Injection?

Upgrade org.springframework:spring-web to version 3.2.9.RELEASE, 4.0.5.RELEASE or higher.

[3.0.0.RELEASE,3.2.9.RELEASE)[4.0.0.RELEASE,4.0.5.RELEASE)

XML External Entity (XXE) Injection

org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.

Affected versions of this package are vulnerable to XML External Entity (XXE) Injection. The SourceHttpMessageConverter processor does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152 and CVE-2013-7315.

How to fix XML External Entity (XXE) Injection?

Upgrade org.springframework:spring-web to version 3.2.4.RELEASE, 4.0.1.RELEASE or higher.

[3.0.0.RELEASE,3.2.4.RELEASE)[4.0.0.RELEASE,4.0.1.RELEASE)

Cross-site Scripting (XSS)

org.springframework:spring-web package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS). The JavaScriptUtils.javaScriptEscape() method did not escape all characters that are sensitive within either a JS single quoted string, JS double quoted string, or HTML script data context. In most cases this will result in an unexploitable parse error but in some cases it could result in an XSS vulnerability.

How to fix Cross-site Scripting (XSS)?

Upgrade org.springframework:spring-web to version 3.2.2.RELEASE or higher.

[3.0.0.RELEASE,3.2.2.RELEASE)

XML External Entity (XXE) Injection

org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.

Affected versions of this package are vulnerable to XML External Entity (XXE) Injection. The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue.

How to fix XML External Entity (XXE) Injection?

Upgrade org.springframework:spring-web to version 3.2.4, 4.0.0.M2 or higher.

[3,3.2.4)[4-alpha,4.0.0.M2)

Cross-site Request Forgery (CSRF)

org.springframework:spring-web Affected versions of this package do not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue.

NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.

[3.0.0.RELEASE,3.2.8.RELEASE)[4.0.0.RELEASE,4.0.2.RELEASE)

XML External Entity (XXE) Injection

org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.

Affected versions of this package are vulnerable to XML External Entity (XXE) Injection due to not disabling external entity resolution for the StAX XMLInputFactory. This allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB.

NOTE: this issue was SPLIT from CVE-2013-4152 due to different affected versions.

How to fix XML External Entity (XXE) Injection?

Upgrade org.springframework:spring-web to version 3.2.4.RELEASE or higher.

[3.0.0.RELEASE,3.2.4.RELEASE)

org.springframework:spring-web@3.1.3.RELEASE vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities

How to fix?