org.springframework:spring-web@4.0.1.RELEASE vulnerabilities

org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.

Affected versions of this package are vulnerable to Open Redirect when UriComponentsBuilder is used to parse an externally provided URL and perform validation checks on the host of the parsed URL.

Note: This is the same as CVE-2024-22259 and CVE-2024-22243, but with different input.

Upgrade org.springframework:spring-web to version 5.3.34, 6.0.19, 6.1.6 or higher.

org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.

Affected versions of this package are vulnerable to Open Redirect when using UriComponentsBuilder to parse an externally provided URL and perform validation checks on the host of the parsed URL.

Note: This is the same as CVE-2024-22243, but with different input.

Upgrade org.springframework:spring-web to version 5.3.33, 6.0.18, 6.1.5 or higher.

org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.

Affected versions of this package are vulnerable to Open Redirect when UriComponentsBuilder parses an externally provided URL, and the application subsequently uses that URL. If it contains hierarchical components such as path, query, and fragment it may evade validation.

Upgrade org.springframework:spring-web to version 5.3.32, 6.0.17, 6.1.4 or higher.

org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.

Affected versions of this package are vulnerable to Improper Input Validation. The protections against Reflected File Download attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.

Upgrade org.springframework:spring-web to version 4.3.29.RELEASE, 5.0.19.RELEASE, 5.1.18.RELEASE, 5.2.9.RELEASE or higher.

org.springframework:spring-web package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.

Affected versions of this package are vulnerable to Reflected File Download via a crafted URL with a batch script extension, resulting in the response being downloaded rather than rendered.

Upgrade org.springframework:spring-web to version 3.2.15.RELEASE, 4.1.8.RELEASE, 4.2.2.RELEASE or higher.

org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.

Affected versions of this package are vulnerable to Denial of Service (DoS). It does not properly process inline DTD declarations when DTD is not entirely disabled, which allows remote attackers to cause a denial of service (memory consumption and out-of-memory errors) via a crafted XML file.

Upgrade org.springframework:spring-web to version 3.2.14.RELEASE, 4.1.7.RELEASE or higher.

org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.

Affected versions of this package are vulnerable to XML External Entity (XXE) Injection. This is due to not disabling the resolution of URI references by default in a DTD declaration. This occurs only when processing user provided XML documents.

Upgrade org.springframework:spring-web to version 3.2.9.RELEASE, 4.0.5.RELEASE or higher.

org.springframework:spring-web Affected versions of this package do not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue.

NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.