org.springframework.data:spring-data-commons 2.0.3.RELEASE

Direct Vulnerabilities

Known vulnerabilities in the org.springframework.data:spring-data-commons package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Allocation of Resources Without Limits or Throttling org.springframework.data:spring-data-commons is a maven plugin to centralize common resources and configuration for Spring Data Maven builds. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the `property-lookup` cache. An attacker can cause unbounded memory consumption by sending repeated requests with unique, attacker-controlled property names, leading to heap exhaustion. Note: This is only exploitable if the application uses features that forward HTTP-supplied strings to `PropertyPath.from` without prior filtering, in particular Querydsl web bindings (via `QuerydslPredicateArgumentResolver`) with the default permit-all visibility, and `@ProjectedPayload` form-parameter binding (via `MapDataBinder`). How to fix Allocation of Resources Without Limits or Throttling? Upgrade `org.springframework.data:spring-data-commons` to version 3.5.12, 4.0.6 or higher.	[,3.5.12)[4.0.0-M1,4.0.6)
H Denial of Service (DoS) org.springframework.data:spring-data-commons is a maven plugin to centralize common resources and configuration for Spring Data Maven builds. Affected versions of this package are vulnerable to Denial of Service (DoS) in the parsing of `Sort` parameters. An attacker can cause a stack overflow and disrupt service availability by submitting specially crafted input to the affected parameter. Note: This is only exploitable if the application explicitly exposes an endpoint that accepts `Sort` parameters from untrusted sources and passes them on without performing sanitization or if the application exposes endpoints with parameters annotated with `@ProjectedPayload` or `@QuerydslPredicate`. How to fix Denial of Service (DoS)? Upgrade `org.springframework.data:spring-data-commons` to version 3.5.12, 4.0.6 or higher.	[,3.5.12)[4.0.0-M1,4.0.6)
H Denial of Service (DoS) org.springframework.data:spring-data-commons is a maven plugin to centralize common resources and configuration for Spring Data Maven builds. Affected versions of this package are vulnerable to Denial of Service (DoS) via the `MappingContext` property path resolution. An attacker can cause resource exhaustion by supplying specially crafted property path strings. How to fix Denial of Service (DoS)? Upgrade `org.springframework.data:spring-data-commons` to version 3.5.12, 4.0.6 or higher.	[,3.5.12)[4.0.0,4.0.6)
H Denial of Service (DoS) org.springframework.data:spring-data-commons is a maven plugin to centralize common resources and configuration for Spring Data Maven builds. Affected versions of this package are vulnerable to Denial of Service (DoS) via data binding. An attacker can exhaust system memory resources by sending specially crafted HTTP requests. Note: This is only exploitable if both Spring Data Web Support is enabled and a Controller method uses `@ProjectedPayload`. How to fix Denial of Service (DoS)? Upgrade `org.springframework.data:spring-data-commons` to version 3.5.12, 4.0.6 or higher.	[,3.5.12)[4.0.0-M1,4.0.6)
H Denial of Service (DoS) org.springframework.data:spring-data-commons is a part of the umbrella Spring Data project that provides shared infrastructure across the Spring Data projects. It contains technology neutral repository interfaces as well as a metadata model for persisting Java classes. Affected versions of this package are vulnerable to Denial of Service (DoS) attacks. It contains a property path parser vulnerability caused by unlimited resource allocation. An unauthenticated remote malicious user (or attacker) can issue requests against Spring Data REST endpoints or endpoints using property path parsing which can cause a denial of service (CPU and memory consumption). How to fix Denial of Service (DoS)? Upgrade `org.springframework.data:spring-data-commons` to versions 1.13.11, 2.0.6 or higher.	[,1.13.11.RELEASE)[2.0.0.RELEASE,2.0.6.RELEASE)
C Arbitrary Code Execution org.springframework.data:spring-data-commons is a maven plugin to centralize common resources and configuration for Spring Data Maven builds. Affected versions of this package are vulnerable to Arbitrary Code Execution. An unauthenticated remote malicious user (or attacker) can supply specially crafted request parameters against Spring Data REST backed HTTP resources or using Spring Data's projection-based request payload binding hat can lead to a remote code execution attack. How to fix Arbitrary Code Execution? Upgrade `org.springframework.data:spring-data-commons` to version 1.13.11.RELEASE, 2.0.6.RELEASE or higher.	[,1.13.11.RELEASE)[2.0.0.RELEASE,2.0.6.RELEASE)

Vulnerability

Vulnerable Version

Allocation of Resources Without Limits or Throttling

org.springframework.data:spring-data-commons is a maven plugin to centralize common resources and configuration for Spring Data Maven builds.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the property-lookup cache. An attacker can cause unbounded memory consumption by sending repeated requests with unique, attacker-controlled property names, leading to heap exhaustion.

Note:

This is only exploitable if the application uses features that forward HTTP-supplied strings to PropertyPath.from without prior filtering, in particular Querydsl web bindings (via QuerydslPredicateArgumentResolver) with the default permit-all visibility, and @ProjectedPayload form-parameter binding (via MapDataBinder).

How to fix Allocation of Resources Without Limits or Throttling?

Upgrade org.springframework.data:spring-data-commons to version 3.5.12, 4.0.6 or higher.

[,3.5.12)[4.0.0-M1,4.0.6)

Denial of Service (DoS)

org.springframework.data:spring-data-commons is a maven plugin to centralize common resources and configuration for Spring Data Maven builds.

Affected versions of this package are vulnerable to Denial of Service (DoS) in the parsing of Sort parameters. An attacker can cause a stack overflow and disrupt service availability by submitting specially crafted input to the affected parameter.

Note:

This is only exploitable if the application explicitly exposes an endpoint that accepts Sort parameters from untrusted sources and passes them on without performing sanitization or if the application exposes endpoints with parameters annotated with @ProjectedPayload or @QuerydslPredicate.

How to fix Denial of Service (DoS)?

Upgrade org.springframework.data:spring-data-commons to version 3.5.12, 4.0.6 or higher.

[,3.5.12)[4.0.0-M1,4.0.6)

Denial of Service (DoS)

org.springframework.data:spring-data-commons is a maven plugin to centralize common resources and configuration for Spring Data Maven builds.

Affected versions of this package are vulnerable to Denial of Service (DoS) via the MappingContext property path resolution. An attacker can cause resource exhaustion by supplying specially crafted property path strings.

How to fix Denial of Service (DoS)?

Upgrade org.springframework.data:spring-data-commons to version 3.5.12, 4.0.6 or higher.

[,3.5.12)[4.0.0,4.0.6)

Denial of Service (DoS)

org.springframework.data:spring-data-commons is a maven plugin to centralize common resources and configuration for Spring Data Maven builds.

Affected versions of this package are vulnerable to Denial of Service (DoS) via data binding. An attacker can exhaust system memory resources by sending specially crafted HTTP requests.

Note:

This is only exploitable if both Spring Data Web Support is enabled and a Controller method uses @ProjectedPayload.

How to fix Denial of Service (DoS)?

Upgrade org.springframework.data:spring-data-commons to version 3.5.12, 4.0.6 or higher.

[,3.5.12)[4.0.0-M1,4.0.6)

Denial of Service (DoS)

org.springframework.data:spring-data-commons is a part of the umbrella Spring Data project that provides shared infrastructure across the Spring Data projects. It contains technology neutral repository interfaces as well as a metadata model for persisting Java classes.

Affected versions of this package are vulnerable to Denial of Service (DoS) attacks. It contains a property path parser vulnerability caused by unlimited resource allocation. An unauthenticated remote malicious user (or attacker) can issue requests against Spring Data REST endpoints or endpoints using property path parsing which can cause a denial of service (CPU and memory consumption).

How to fix Denial of Service (DoS)?

Upgrade org.springframework.data:spring-data-commons to versions 1.13.11, 2.0.6 or higher.

[,1.13.11.RELEASE)[2.0.0.RELEASE,2.0.6.RELEASE)

Arbitrary Code Execution

org.springframework.data:spring-data-commons is a maven plugin to centralize common resources and configuration for Spring Data Maven builds.

Affected versions of this package are vulnerable to Arbitrary Code Execution. An unauthenticated remote malicious user (or attacker) can supply specially crafted request parameters against Spring Data REST backed HTTP resources or using Spring Data's projection-based request payload binding hat can lead to a remote code execution attack.

How to fix Arbitrary Code Execution?

Upgrade org.springframework.data:spring-data-commons to version 1.13.11.RELEASE, 2.0.6.RELEASE or higher.

[,1.13.11.RELEASE)[2.0.0.RELEASE,2.0.6.RELEASE)

org.springframework.data:spring-data-commons@2.0.3.RELEASE

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

Fix vulnerabilities automatically