org.springframework.data:spring-data-rest-webmvc 3.3.9.RELEASE

Direct Vulnerabilities

Known vulnerabilities in the org.springframework.data:spring-data-rest-webmvc package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Improperly Controlled Modification of Dynamically-Determined Object Attributes org.springframework.data:spring-data-rest-webmvc is a maven plugin for Spring Data REST - WebMVC. Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes due to missing write-access enforcement in the `JsonPointerMapping` class in `JsonPointerMapping.java`. When a JSON Patch (`application/json-patch+json`) request is processed, the write-access filter is applied only to the final segment of a multi-segment JSON Pointer and not to intermediate path segments. An attacker can send a JSON Patch request whose path traverses a container property marked read-only at the Jackson level into a nested embeddable object, collection, or map element that carries no per-field restriction, modifying data the application intends to be immutable. Note: Only applications whose domain model includes an embeddable object, collection, or map property whose container is marked read-only at the Jackson level, while the inner element type carries no per-field restriction, are affected. How to fix Improperly Controlled Modification of Dynamically-Determined Object Attributes? Upgrade `org.springframework.data:spring-data-rest-webmvc` to version 4.5.12, 5.0.6 or higher.	[,4.5.12)[5.0.0-M1,5.0.6)
H Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') org.springframework.data:spring-data-rest-webmvc is a maven plugin for Spring Data REST - WebMVC. Affected versions of this package are vulnerable to Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') in the processing of JSON Patch requests containing map-typed properties. An attacker can execute arbitrary SpEL expressions by supplying crafted map keys in the JSON Pointer path segment. How to fix Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')? Upgrade `org.springframework.data:spring-data-rest-webmvc` to version 4.5.12, 5.0.6 or higher.	[,4.5.12)[5.0.0-M1,5.0.6)
M Information Exposure org.springframework.data:spring-data-rest-webmvc is a maven plugin for Spring Data REST - WebMVC. Affected versions of this package are vulnerable to Information Exposure in the error response serialization. An attacker can gain access to sensitive internal information by triggering errors that cause the full exception cause chain to be included in HTTP responses. How to fix Information Exposure? Upgrade `org.springframework.data:spring-data-rest-webmvc` to version 4.5.12, 5.0.6 or higher.	[,4.5.12)[5.0.0-M1,5.0.6)
M Access Control Bypass org.springframework.data:spring-data-rest-webmvc is a maven plugin for Spring Data REST - WebMVC. Affected versions of this package are vulnerable to Access Control Bypass in the Querydsl integration, which accepts arbitrary persistent property paths as request-parameter filter keys without considering Jackson customizations before passing them to Querydsl. An attacker can access sensitive fields that are intended to be hidden by specifying crafted filter keys in requests. How to fix Access Control Bypass? Upgrade `org.springframework.data:spring-data-rest-webmvc` to version 4.5.12, 5.0.6 or higher.	[,4.5.12)[5.0.0-M1,5.0.6)
M Information Exposure org.springframework.data:spring-data-rest-webmvc is a maven plugin for Spring Data REST - WebMVC. Affected versions of this package are vulnerable to Information Exposure by allowing an attacker to craft HTTP requests that expose hidden entity attributes, given that the attacker knows about the structure of the underlying domain model. Note: Applications that have generally disabled `HTTP PATCH` support, either through the corresponding configuration of Spring Data REST, Spring Boot, or through their runtime infrastructure, are not affected. How to fix Information Exposure? Upgrade `org.springframework.data:spring-data-rest-webmvc` to version 3.6.7, 3.7.3 or higher.	[0,3.6.7)[3.7.0,3.7.3)
M Information Exposure org.springframework.data:spring-data-rest-webmvc is a maven plugin for Spring Data REST - WebMVC. Affected versions of this package are vulnerable to Information Exposure. HTTP resources implemented by custom controllers using a configured base API path and a controller type-level request mapping are additionally exposed under URIs that can potentially be exposed for unauthorized access depending on the Spring Security configuration. Note: This vulnerability is only exploitable in a project if the Spring Data REST base path configuration is set to a non-empty string AND the project registers a custom Spring MVC controller to customize HTTP resources in the URI space of Spring Data REST and that controller uses a type-level @RequestMapping annotation;the project only secures the paths exposed by Spring Data REST within the base path but does not apply security measures to URIs matching the mappings without the configured base path prepended. How to fix Information Exposure? Upgrade `org.springframework.data:spring-data-rest-webmvc` to version 3.5.6, 3.4.14 or higher.	[3.5.0,3.5.6)[,3.4.14)

Vulnerability

Vulnerable Version

Improperly Controlled Modification of Dynamically-Determined Object Attributes

org.springframework.data:spring-data-rest-webmvc is a maven plugin for Spring Data REST - WebMVC.

Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes due to missing write-access enforcement in the JsonPointerMapping class in JsonPointerMapping.java. When a JSON Patch (application/json-patch+json) request is processed, the write-access filter is applied only to the final segment of a multi-segment JSON Pointer and not to intermediate path segments. An attacker can send a JSON Patch request whose path traverses a container property marked read-only at the Jackson level into a nested embeddable object, collection, or map element that carries no per-field restriction, modifying data the application intends to be immutable.

Note:

Only applications whose domain model includes an embeddable object, collection, or map property whose container is marked read-only at the Jackson level, while the inner element type carries no per-field restriction, are affected.

How to fix Improperly Controlled Modification of Dynamically-Determined Object Attributes?

Upgrade org.springframework.data:spring-data-rest-webmvc to version 4.5.12, 5.0.6 or higher.

[,4.5.12)[5.0.0-M1,5.0.6)

Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

org.springframework.data:spring-data-rest-webmvc is a maven plugin for Spring Data REST - WebMVC.

Affected versions of this package are vulnerable to Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') in the processing of JSON Patch requests containing map-typed properties. An attacker can execute arbitrary SpEL expressions by supplying crafted map keys in the JSON Pointer path segment.

How to fix Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')?

Upgrade org.springframework.data:spring-data-rest-webmvc to version 4.5.12, 5.0.6 or higher.

[,4.5.12)[5.0.0-M1,5.0.6)

Information Exposure

org.springframework.data:spring-data-rest-webmvc is a maven plugin for Spring Data REST - WebMVC.

Affected versions of this package are vulnerable to Information Exposure in the error response serialization. An attacker can gain access to sensitive internal information by triggering errors that cause the full exception cause chain to be included in HTTP responses.

How to fix Information Exposure?

Upgrade org.springframework.data:spring-data-rest-webmvc to version 4.5.12, 5.0.6 or higher.

[,4.5.12)[5.0.0-M1,5.0.6)

Access Control Bypass

org.springframework.data:spring-data-rest-webmvc is a maven plugin for Spring Data REST - WebMVC.

Affected versions of this package are vulnerable to Access Control Bypass in the Querydsl integration, which accepts arbitrary persistent property paths as request-parameter filter keys without considering Jackson customizations before passing them to Querydsl. An attacker can access sensitive fields that are intended to be hidden by specifying crafted filter keys in requests.

How to fix Access Control Bypass?

Upgrade org.springframework.data:spring-data-rest-webmvc to version 4.5.12, 5.0.6 or higher.

[,4.5.12)[5.0.0-M1,5.0.6)

Information Exposure

org.springframework.data:spring-data-rest-webmvc is a maven plugin for Spring Data REST - WebMVC.

Affected versions of this package are vulnerable to Information Exposure by allowing an attacker to craft HTTP requests that expose hidden entity attributes, given that the attacker knows about the structure of the underlying domain model.

Note: Applications that have generally disabled HTTP PATCH support, either through the corresponding configuration of Spring Data REST, Spring Boot, or through their runtime infrastructure, are not affected.

How to fix Information Exposure?

Upgrade org.springframework.data:spring-data-rest-webmvc to version 3.6.7, 3.7.3 or higher.

[0,3.6.7)[3.7.0,3.7.3)

Information Exposure

org.springframework.data:spring-data-rest-webmvc is a maven plugin for Spring Data REST - WebMVC.

Affected versions of this package are vulnerable to Information Exposure. HTTP resources implemented by custom controllers using a configured base API path and a controller type-level request mapping are additionally exposed under URIs that can potentially be exposed for unauthorized access depending on the Spring Security configuration.

Note: This vulnerability is only exploitable in a project if the Spring Data REST base path configuration is set to a non-empty string AND the project registers a custom Spring MVC controller to customize HTTP resources in the URI space of Spring Data REST and that controller uses a type-level @RequestMapping annotation;the project only secures the paths exposed by Spring Data REST within the base path but does not apply security measures to URIs matching the mappings without the configured base path prepended.

How to fix Information Exposure?

Upgrade org.springframework.data:spring-data-rest-webmvc to version 3.5.6, 3.4.14 or higher.

[3.5.0,3.5.6)[,3.4.14)

org.springframework.data:spring-data-rest-webmvc@3.3.9.RELEASE

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

Fix vulnerabilities automatically