Homepage
About Snyk

org.springframework:spring-web@6.0.12 vulnerabilities

Go back to all versions of this package
Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the org.springframework:spring-web package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Denial of Service (DoS)

org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.

Affected versions of this package are vulnerable to Denial of Service (DoS) in the form of improper ETag prefix validation when parsing ETags from the If-Match or If-None-Match request headers. An attacker can exploit this vulnerability to cause denial of service by sending a maliciously crafted conditional HTTP request.

How to fix Denial of Service (DoS)?

Upgrade org.springframework:spring-web to version 5.3.38, 6.0.23, 6.1.12 or higher.

[,5.3.38) [6.0.0,6.0.23) [6.1.0,6.1.12)
  • M
Open Redirect

org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.

Affected versions of this package are vulnerable to Open Redirect when UriComponentsBuilder is used to parse an externally provided URL and perform validation checks on the host of the parsed URL.

Note: This is the same as CVE-2024-22259 and CVE-2024-22243, but with different input.

How to fix Open Redirect?

Upgrade org.springframework:spring-web to version 5.3.34, 6.0.19, 6.1.6 or higher.

[,5.3.34) [6.0.0,6.0.19) [6.1.0,6.1.6)
  • H
Open Redirect

org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.

Affected versions of this package are vulnerable to Open Redirect when using UriComponentsBuilder to parse an externally provided URL and perform validation checks on the host of the parsed URL.

Note: This is the same as CVE-2024-22243, but with different input.

How to fix Open Redirect?

Upgrade org.springframework:spring-web to version 5.3.33, 6.0.18, 6.1.5 or higher.

[,5.3.33) [6.0.0,6.0.18) [6.1.0,6.1.5)
  • H
Open Redirect

org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.

Affected versions of this package are vulnerable to Open Redirect when UriComponentsBuilder parses an externally provided URL, and the application subsequently uses that URL. If it contains hierarchical components such as path, query, and fragment it may evade validation.

How to fix Open Redirect?

Upgrade org.springframework:spring-web to version 5.3.32, 6.0.17, 6.1.4 or higher.

[,5.3.32) [6.0.0,6.0.17) [6.1.0,6.1.4)
  • M
Denial of Service (DoS)

org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.

Affected versions of this package are vulnerable to Denial of Service (DoS) when providing a specially crafted HTTP request.

To be vulnerable, these conditions must all be met (which is usually the case for applications dependent on org.springframework.boot:spring-boot-actuator):

  • The affected application uses Spring MVC or Spring WebFlux.

  • io.micrometer:micrometer-core is on the classpath.

  • An ObservationRegistry is configured in the application to record observations.

How to fix Denial of Service (DoS)?

Upgrade org.springframework:spring-web to version 6.0.14 or higher.

[6.0.0,6.0.14)
Go back to all versions of this package