Homepage

org.springframework.data:spring-data-commons@3.5.11

  • latest version

    4.0.5

  • latest non vulnerable version

    4.1.0-RC1

  • first published

    13 years ago

  • latest version published

    2 months ago

  • licenses detected

  • package registry

    View on Maven Central Repository
    • Go back to all versions of this package
    Report a new vulnerability Found a mistake?

    Direct Vulnerabilities

    Known vulnerabilities in the org.springframework.data:spring-data-commons package. This does not include vulnerabilities belonging to this package’s dependencies.

    Fix vulnerabilities automatically

    Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

    Fix for free
    VulnerabilityVulnerable Version
    • H
    Allocation of Resources Without Limits or Throttling

    org.springframework.data:spring-data-commons is a maven plugin to centralize common resources and configuration for Spring Data Maven builds.

    Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the property-lookup cache. An attacker can cause unbounded memory consumption by sending repeated requests with unique, attacker-controlled property names, leading to heap exhaustion.

    Note:

    This is only exploitable if the application uses features that forward HTTP-supplied strings to PropertyPath.from without prior filtering, in particular Querydsl web bindings (via QuerydslPredicateArgumentResolver) with the default permit-all visibility, and @ProjectedPayload form-parameter binding (via MapDataBinder).

    How to fix Allocation of Resources Without Limits or Throttling?

    Upgrade org.springframework.data:spring-data-commons to version 3.5.12, 4.0.6 or higher.

    [,3.5.12)[4.0.0-M1,4.0.6)
    • H
    Denial of Service (DoS)

    org.springframework.data:spring-data-commons is a maven plugin to centralize common resources and configuration for Spring Data Maven builds.

    Affected versions of this package are vulnerable to Denial of Service (DoS) in the parsing of Sort parameters. An attacker can cause a stack overflow and disrupt service availability by submitting specially crafted input to the affected parameter.

    Note:

    This is only exploitable if the application explicitly exposes an endpoint that accepts Sort parameters from untrusted sources and passes them on without performing sanitization or if the application exposes endpoints with parameters annotated with @ProjectedPayload or @QuerydslPredicate.

    How to fix Denial of Service (DoS)?

    Upgrade org.springframework.data:spring-data-commons to version 3.5.12, 4.0.6 or higher.

    [,3.5.12)[4.0.0-M1,4.0.6)
    • H
    Denial of Service (DoS)

    org.springframework.data:spring-data-commons is a maven plugin to centralize common resources and configuration for Spring Data Maven builds.

    Affected versions of this package are vulnerable to Denial of Service (DoS) via the MappingContext property path resolution. An attacker can cause resource exhaustion by supplying specially crafted property path strings.

    How to fix Denial of Service (DoS)?

    Upgrade org.springframework.data:spring-data-commons to version 3.5.12, 4.0.6 or higher.

    [,3.5.12)[4.0.0,4.0.6)
    • H
    Denial of Service (DoS)

    org.springframework.data:spring-data-commons is a maven plugin to centralize common resources and configuration for Spring Data Maven builds.

    Affected versions of this package are vulnerable to Denial of Service (DoS) via data binding. An attacker can exhaust system memory resources by sending specially crafted HTTP requests.

    Note:

    This is only exploitable if both Spring Data Web Support is enabled and a Controller method uses @ProjectedPayload.

    How to fix Denial of Service (DoS)?

    Upgrade org.springframework.data:spring-data-commons to version 3.5.12, 4.0.6 or higher.

    [,3.5.12)[4.0.0-M1,4.0.6)
    Go back to all versions of this package