org.springframework:spring-webmvc@5.2.1.RELEASE vulnerabilities

latest version

6.1.5
latest non vulnerable version

6.1.5
first published

18 years ago
latest version published

2 months ago
licenses detected
- Apache-2.0
  [0,)
package manager

View on Maven Repository

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the org.springframework:spring-webmvc package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
M Cross-Site Request Forgery (CSRF) org.springframework:spring-webmvc is a package that provides Model-View-Controller (MVC) architecture and ready components that can be used to develop flexible and loosely coupled web applications. Affected versions of this package are vulnerable to Cross-Site Request Forgery (CSRF) through CORS preflight requests that target Spring MVC (`spring-webmvc` module) or Spring WebFlux (`spring-webflux` module) endpoints. Only non-authenticated endpoints are vulnerable because preflight requests should not include credentials and therefore requests should fail authentication. However a notable exception to this are Chrome based browsers when using client certificates for authentication since Chrome sends TLS client certificates in CORS preflight requests in violation of spec requirements. No HTTP body can be sent or received as a result of this attack. How to fix Cross-Site Request Forgery (CSRF)? Upgrade `org.springframework:spring-webmvc` to version 5.2.3 or higher.	[5.2.0,5.2.3)

Cross-Site Request Forgery (CSRF)

org.springframework:spring-webmvc is a package that provides Model-View-Controller (MVC) architecture and ready components that can be used to develop flexible and loosely coupled web applications.

Affected versions of this package are vulnerable to Cross-Site Request Forgery (CSRF) through CORS preflight requests that target Spring MVC (spring-webmvc module) or Spring WebFlux (spring-webflux module) endpoints. Only non-authenticated endpoints are vulnerable because preflight requests should not include credentials and therefore requests should fail authentication. However a notable exception to this are Chrome based browsers when using client certificates for authentication since Chrome sends TLS client certificates in CORS preflight requests in violation of spec requirements. No HTTP body can be sent or received as a result of this attack.

How to fix Cross-Site Request Forgery (CSRF)?

Upgrade org.springframework:spring-webmvc to version 5.2.3 or higher.

[5.2.0,5.2.3)

Go back to all versions of this package

org.springframework:spring-webmvc@5.2.1.RELEASE vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities