org.springframework:spring-web@5.2.2.RELEASE vulnerabilities

  • latest version

    6.2.0

  • latest non vulnerable version

  • first published

    19 years ago

  • latest version published

    20 days ago

  • licenses detected

  • package manager

  • Direct Vulnerabilities

    Known vulnerabilities in the org.springframework:spring-web package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • L
    Improper Handling of Case Sensitivity

    org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.

    Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity due to String.toLowerCase() having some Locale dependent exceptions that could potentially result in fields not protected as expected.

    Note: The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive.

    How to fix Improper Handling of Case Sensitivity?

    Upgrade org.springframework:spring-web to version 6.1.14 or higher.

    [,6.1.14)
    • M
    Denial of Service (DoS)

    org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.

    Affected versions of this package are vulnerable to Denial of Service (DoS) in the form of improper ETag prefix validation when parsing ETags from the If-Match or If-None-Match request headers. An attacker can exploit this vulnerability to cause denial of service by sending a maliciously crafted conditional HTTP request.

    How to fix Denial of Service (DoS)?

    Upgrade org.springframework:spring-web to version 5.3.38, 6.0.23, 6.1.12 or higher.

    [,5.3.38)[6.0.0,6.0.23)[6.1.0,6.1.12)
    • M
    Open Redirect

    org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.

    Affected versions of this package are vulnerable to Open Redirect when UriComponentsBuilder is used to parse an externally provided URL and perform validation checks on the host of the parsed URL.

    Note: This is the same as CVE-2024-22259 and CVE-2024-22243, but with different input.

    How to fix Open Redirect?

    Upgrade org.springframework:spring-web to version 5.3.34, 6.0.19, 6.1.6 or higher.

    [,5.3.34)[6.0.0,6.0.19)[6.1.0,6.1.6)
    • H
    Open Redirect

    org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.

    Affected versions of this package are vulnerable to Open Redirect when using UriComponentsBuilder to parse an externally provided URL and perform validation checks on the host of the parsed URL.

    Note: This is the same as CVE-2024-22243, but with different input.

    How to fix Open Redirect?

    Upgrade org.springframework:spring-web to version 5.3.33, 6.0.18, 6.1.5 or higher.

    [,5.3.33)[6.0.0,6.0.18)[6.1.0,6.1.5)
    • H
    Open Redirect

    org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.

    Affected versions of this package are vulnerable to Open Redirect when UriComponentsBuilder parses an externally provided URL, and the application subsequently uses that URL. If it contains hierarchical components such as path, query, and fragment it may evade validation.

    How to fix Open Redirect?

    Upgrade org.springframework:spring-web to version 5.3.32, 6.0.17, 6.1.4 or higher.

    [,5.3.32)[6.0.0,6.0.17)[6.1.0,6.1.4)
    • M
    Privilege Escalation

    org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.

    Affected versions of this package are vulnerable to Privilege Escalation. By recreating the temporary storage directory, a locally authenticated malicious user can read or modify files that have been uploaded to the WebFlux application, or overwrite arbitrary files with multipart request data.

    How to fix Privilege Escalation?

    Upgrade org.springframework:spring-web to version 5.3.7, 5.2.15.RELEASE or higher.

    [5.3.0,5.3.7)[5.0.0.RELEASE,5.2.15.RELEASE)
    • H
    Improper Input Validation

    org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.

    Affected versions of this package are vulnerable to Improper Input Validation. The protections against Reflected File Download attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.

    How to fix Improper Input Validation?

    Upgrade org.springframework:spring-web to version 4.3.29.RELEASE, 5.0.19.RELEASE, 5.1.18.RELEASE, 5.2.9.RELEASE or higher.

    [3.2.0.RELEASE,4.3.29.RELEASE)[5.0.0.RELEASE,5.0.19.RELEASE)[5.1.0.RELEASE,5.1.18.RELEASE)[5.2.0.RELEASE,5.2.9.RELEASE)
    • H
    Reflected File Download (RFD)

    org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.

    Affected versions of this package are vulnerable to Reflected File Download (RFD). A reflected file download attack is possible when the filename attribute of the Content-Disposition header is derived from user-supplied input.

    How to fix Reflected File Download (RFD)?

    Upgrade org.springframework:spring-web to version 5.2.3, 5.1.13, 5.0.16 or higher.

    [5.2.0,5.2.3)[5.1.0,5.1.13)[5.0.0,5.0.16)