Skip to content

spring-webmvc-5.3.4.jar: 20 vulnerabilities (highest severity is: 9.8) #7

Open
Open
spring-webmvc-5.3.4.jar: 20 vulnerabilities (highest severity is: 9.8)#7
Labels
Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend
@mend-for-github-com

Description

@mend-for-github-com
mend-for-github-com
bot
opened on Aug 13, 2022
Vulnerable Library - spring-webmvc-5.3.4.jar

Spring Web MVC

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /build.gradle.kts

Path to vulnerable library: /les-2/files-2.1/org.springframework/spring-webmvc/5.3.4/8dd52fbe8eafcc7c80998087ec6635baf7a98c20/spring-webmvc-5.3.4.jar

Found in HEAD commit: 4cad55c933ef7b8dacffcf50bed01c27666b4018

Vulnerabilities

Vulnerability Severity CVSS Dependency Type Fixed in (spring-webmvc version) Remediation Possible**
CVE-2022-22965 Critical 9.8 detected in multiple dependencies Transitive 5.3.18
CVE-2025-41249 High 7.5 detected in multiple dependencies Transitive N/A*
CVE-2024-38819 High 7.5 spring-webmvc-5.3.4.jar Direct 6.1.14
CVE-2024-38816 High 7.5 spring-webmvc-5.3.4.jar Direct 6.1.13
CVE-2023-20860 High 7.5 spring-webmvc-5.3.4.jar Direct 5.3.26
CVE-2023-20863 Medium 6.5 spring-expression-5.3.4.jar Transitive 5.3.27
CVE-2023-20861 Medium 6.5 spring-expression-5.3.4.jar Transitive 5.3.26
CVE-2022-22950 Medium 6.5 spring-expression-5.3.4.jar Transitive 5.3.17
CVE-2026-22737 Medium 5.9 spring-webmvc-5.3.4.jar Direct org.springframework:spring-webflux:6.2.17,org.springframework:spring-webflux:7.0.6,https://github.com/spring-projects/spring-framework.git - v7.0.6
CVE-2025-41242 Medium 5.9 detected in multiple dependencies Transitive N/A*
CVE-2024-38828 Medium 5.3 detected in multiple dependencies Transitive N/A*
CVE-2022-22970 Medium 5.3 detected in multiple dependencies Transitive 5.3.20
CVE-2022-22968 Medium 5.3 spring-context-5.3.4.jar Transitive 5.3.19
CVE-2024-38808 Medium 4.3 spring-expression-5.3.4.jar Transitive 5.3.39
CVE-2021-22096 Medium 4.3 detected in multiple dependencies Transitive 5.3.12
CVE-2021-22060 Medium 4.3 detected in multiple dependencies Transitive 5.3.14
CVE-2026-22741 Low 3.1 spring-webmvc-5.3.4.jar Direct org.springframework:spring-webmvc:7.0.7,org.springframework:spring-webmvc:6.2.18,https://github.com/spring-projects/spring-framework.git - v7.0.7,org.springframework:spring-webflux:6.2.18,org.springframework:spring-webflux:7.0.7,https://github.com/spring-projects/spring-framework.git - v6.2.18
CVE-2025-22233 Low 3.1 spring-context-5.3.4.jar Transitive N/A*
CVE-2024-38820 Low 3.1 detected in multiple dependencies Transitive N/A*
CVE-2026-22735 Low 2.6 spring-webmvc-5.3.4.jar Direct org.springframework:spring-webmvc:7.0.6,https://github.com/spring-projects/spring-framework.git - v7.0.6,https://github.com/spring-projects/spring-framework.git - v6.1.21,org.springframework:spring-web:7.0.6,org.springframework:spring-web:6.2.17,org.springframework:spring-webmvc:6.2.17,https://github.com/spring-projects/spring-framework.git - v6.2.17

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2022-22965

Vulnerable Libraries - spring-beans-5.3.4.jar, spring-webmvc-5.3.4.jar

spring-beans-5.3.4.jar

Spring Beans

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-beans/5.3.4/ac6c5ea0ba82f555405f74104cf378f8071c6d25/spring-beans-5.3.4.jar

Dependency Hierarchy:

  • spring-webmvc-5.3.4.jar (Root Library)
    • spring-beans-5.3.4.jar (Vulnerable Library)

spring-webmvc-5.3.4.jar

Spring Web MVC

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /build.gradle.kts

Path to vulnerable library: /les-2/files-2.1/org.springframework/spring-webmvc/5.3.4/8dd52fbe8eafcc7c80998087ec6635baf7a98c20/spring-webmvc-5.3.4.jar

Dependency Hierarchy:

  • spring-webmvc-5.3.4.jar (Vulnerable Library)

Found in HEAD commit: 4cad55c933ef7b8dacffcf50bed01c27666b4018

Found in base branch: main

Vulnerability Details

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2022-04-01

URL: CVE-2022-22965

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

Release Date: 2022-04-01

Fix Resolution (org.springframework:spring-beans): 5.3.18

Direct dependency fix Resolution (org.springframework:spring-webmvc): 5.3.18

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2025-41249

Vulnerable Libraries - spring-core-5.3.5.jar, spring-core-5.3.4.jar

spring-core-5.3.5.jar

Spring Core

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-core/5.3.5/633de7c79bfeccf05c81a0d4a32b3336010f06ab/spring-core-5.3.5.jar

Dependency Hierarchy:

  • spring-webmvc-5.3.4.jar (Root Library)
    • spring-core-5.3.5.jar (Vulnerable Library)

spring-core-5.3.4.jar

Spring Core

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-core/5.3.4/46c1f8abd9e02a292c42a257350f365cec152b5d/spring-core-5.3.4.jar

Dependency Hierarchy:

  • spring-webmvc-5.3.4.jar (Root Library)
    • spring-core-5.3.4.jar (Vulnerable Library)

Found in HEAD commit: 4cad55c933ef7b8dacffcf50bed01c27666b4018

Found in base branch: main

Vulnerability Details

The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue if such annotations are used for authorization decisions.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2025-09-16

URL: CVE-2025-41249

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2025-41249

Release Date: 2025-09-14

Fix Resolution: https://github.com/spring-projects/spring-framework.git - v6.2.11,org.springframework:spring-core:6.2.11

CVE-2024-38819

Vulnerable Library - spring-webmvc-5.3.4.jar

Spring Web MVC

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /build.gradle.kts

Path to vulnerable library: /les-2/files-2.1/org.springframework/spring-webmvc/5.3.4/8dd52fbe8eafcc7c80998087ec6635baf7a98c20/spring-webmvc-5.3.4.jar

Dependency Hierarchy:

  • spring-webmvc-5.3.4.jar (Vulnerable Library)

Found in HEAD commit: 4cad55c933ef7b8dacffcf50bed01c27666b4018

Found in base branch: main

Vulnerability Details

Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running.

Publish Date: 2024-12-19

URL: CVE-2024-38819

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2024-38819

Release Date: 2024-12-19

Fix Resolution: 6.1.14

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2024-38816

Vulnerable Library - spring-webmvc-5.3.4.jar

Spring Web MVC

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /build.gradle.kts

Path to vulnerable library: /les-2/files-2.1/org.springframework/spring-webmvc/5.3.4/8dd52fbe8eafcc7c80998087ec6635baf7a98c20/spring-webmvc-5.3.4.jar

Dependency Hierarchy:

  • spring-webmvc-5.3.4.jar (Vulnerable Library)

Found in HEAD commit: 4cad55c933ef7b8dacffcf50bed01c27666b4018

Found in base branch: main

Vulnerability Details

Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running.
Specifically, an application is vulnerable when both of the following are true:

  • the web application uses RouterFunctions to serve static resources
  • resource handling is explicitly configured with a FileSystemResource location
    However, malicious requests are blocked and rejected when any of the following is true:
  • the Spring Security HTTP Firewall https://docs.spring.io/spring-security/reference/servlet/exploits/firewall.html  is in use
  • the application runs on Tomcat or Jetty
    Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2024-09-13

URL: CVE-2024-38816

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2024-38816

Release Date: 2024-09-13

Fix Resolution: 6.1.13

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2023-20860

Vulnerable Library - spring-webmvc-5.3.4.jar

Spring Web MVC

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /build.gradle.kts

Path to vulnerable library: /les-2/files-2.1/org.springframework/spring-webmvc/5.3.4/8dd52fbe8eafcc7c80998087ec6635baf7a98c20/spring-webmvc-5.3.4.jar

Dependency Hierarchy:

  • spring-webmvc-5.3.4.jar (Vulnerable Library)

Found in HEAD commit: 4cad55c933ef7b8dacffcf50bed01c27666b4018

Found in base branch: main

Vulnerability Details

Spring Framework running version 6.0.0 - 6.0.6 or 5.3.0 - 5.3.25 using "**" as a pattern in Spring Security configuration with the mvcRequestMatcher creates a mismatch in pattern matching between Spring Security and Spring MVC, and the potential for a security bypass.

Publish Date: 2023-03-27

URL: CVE-2023-20860

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/blog/2023/03/21/this-week-in-spring-march-21st-2023/

Release Date: 2023-03-27

Fix Resolution: 5.3.26

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2023-20863

Vulnerable Library - spring-expression-5.3.4.jar

Spring Expression Language (SpEL)

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-expression/5.3.4/42b71fa955e43a86471509aef14cefe756fc3794/spring-expression-5.3.4.jar

Dependency Hierarchy:

  • spring-webmvc-5.3.4.jar (Root Library)
    • spring-expression-5.3.4.jar (Vulnerable Library)

Found in HEAD commit: 4cad55c933ef7b8dacffcf50bed01c27666b4018

Found in base branch: main

Vulnerability Details

In spring framework versions prior to 5.2.24 release+ ,5.3.27+ and 6.0.8+ , it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.

Publish Date: 2023-04-13

URL: CVE-2023-20863

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2023-20863

Release Date: 2023-04-13

Fix Resolution (org.springframework:spring-expression): 5.3.27

Direct dependency fix Resolution (org.springframework:spring-webmvc): 5.3.27

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2023-20861

Vulnerable Library - spring-expression-5.3.4.jar

Spring Expression Language (SpEL)

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-expression/5.3.4/42b71fa955e43a86471509aef14cefe756fc3794/spring-expression-5.3.4.jar

Dependency Hierarchy:

  • spring-webmvc-5.3.4.jar (Root Library)
    • spring-expression-5.3.4.jar (Vulnerable Library)

Found in HEAD commit: 4cad55c933ef7b8dacffcf50bed01c27666b4018

Found in base branch: main

Vulnerability Details

In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.

Publish Date: 2023-03-23

URL: CVE-2023-20861

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2023-20861

Release Date: 2023-03-23

Fix Resolution (org.springframework:spring-expression): 5.3.26

Direct dependency fix Resolution (org.springframework:spring-webmvc): 5.3.26

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-22950

Vulnerable Library - spring-expression-5.3.4.jar

Spring Expression Language (SpEL)

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-expression/5.3.4/42b71fa955e43a86471509aef14cefe756fc3794/spring-expression-5.3.4.jar

Dependency Hierarchy:

  • spring-webmvc-5.3.4.jar (Root Library)
    • spring-expression-5.3.4.jar (Vulnerable Library)

Found in HEAD commit: 4cad55c933ef7b8dacffcf50bed01c27666b4018

Found in base branch: main

Vulnerability Details

n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.

Publish Date: 2022-04-01

URL: CVE-2022-22950

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://tanzu.vmware.com/security/cve-2022-22950

Release Date: 2022-04-01

Fix Resolution (org.springframework:spring-expression): 5.3.17

Direct dependency fix Resolution (org.springframework:spring-webmvc): 5.3.17

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2026-22737

Vulnerable Library - spring-webmvc-5.3.4.jar

Spring Web MVC

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /build.gradle.kts

Path to vulnerable library: /les-2/files-2.1/org.springframework/spring-webmvc/5.3.4/8dd52fbe8eafcc7c80998087ec6635baf7a98c20/spring-webmvc-5.3.4.jar

Dependency Hierarchy:

  • spring-webmvc-5.3.4.jar (Vulnerable Library)

Found in HEAD commit: 4cad55c933ef7b8dacffcf50bed01c27666b4018

Found in base branch: main

Vulnerability Details

Use of Java scripting engine enabled (e.g. JRuby, Jython) template views in Spring MVC and Spring WebFlux applications can result in disclosure of content from files outside the configured locations for script template views. This issue affects Spring Framework: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46.

Publish Date: 2026-03-19

URL: CVE-2026-22737

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2026-22737

Release Date: 2026-03-19

Fix Resolution: org.springframework:spring-webflux:6.2.17,org.springframework:spring-webflux:7.0.6,https://github.com/spring-projects/spring-framework.git - v7.0.6

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2025-41242

Vulnerable Libraries - spring-beans-5.3.4.jar, spring-webmvc-5.3.4.jar

spring-beans-5.3.4.jar

Spring Beans

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-beans/5.3.4/ac6c5ea0ba82f555405f74104cf378f8071c6d25/spring-beans-5.3.4.jar

Dependency Hierarchy:

  • spring-webmvc-5.3.4.jar (Root Library)
    • spring-beans-5.3.4.jar (Vulnerable Library)

spring-webmvc-5.3.4.jar

Spring Web MVC

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /build.gradle.kts

Path to vulnerable library: /les-2/files-2.1/org.springframework/spring-webmvc/5.3.4/8dd52fbe8eafcc7c80998087ec6635baf7a98c20/spring-webmvc-5.3.4.jar

Dependency Hierarchy:

  • spring-webmvc-5.3.4.jar (Vulnerable Library)

Found in HEAD commit: 4cad55c933ef7b8dacffcf50bed01c27666b4018

Found in base branch: main

Vulnerability Details

Spring Framework MVC applications can be vulnerable to a “Path Traversal Vulnerability” when deployed on a non-compliant Servlet container.
An application can be vulnerable when all the following are true:

Publish Date: 2025-08-18

URL: CVE-2025-41242

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2025-08-18

Fix Resolution: https://github.com/spring-projects/spring-framework.git - v6.2.10,org.springframework:spring-beans:6.2.10

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2024-38828

Vulnerable Libraries - spring-core-5.3.4.jar, spring-webmvc-5.3.4.jar, spring-core-5.3.5.jar

spring-core-5.3.4.jar

Spring Core

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-core/5.3.4/46c1f8abd9e02a292c42a257350f365cec152b5d/spring-core-5.3.4.jar

Dependency Hierarchy:

  • spring-webmvc-5.3.4.jar (Root Library)
    • spring-core-5.3.4.jar (Vulnerable Library)

spring-webmvc-5.3.4.jar

Spring Web MVC

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /build.gradle.kts

Path to vulnerable library: /les-2/files-2.1/org.springframework/spring-webmvc/5.3.4/8dd52fbe8eafcc7c80998087ec6635baf7a98c20/spring-webmvc-5.3.4.jar

Dependency Hierarchy:

  • spring-webmvc-5.3.4.jar (Vulnerable Library)

spring-core-5.3.5.jar

Spring Core

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-core/5.3.5/633de7c79bfeccf05c81a0d4a32b3336010f06ab/spring-core-5.3.5.jar

Dependency Hierarchy:

  • spring-webmvc-5.3.4.jar (Root Library)
    • spring-core-5.3.5.jar (Vulnerable Library)

Found in HEAD commit: 4cad55c933ef7b8dacffcf50bed01c27666b4018

Found in base branch: main

Vulnerability Details

Spring MVC controller methods with an @RequestBody byte[] method parameter are vulnerable to a DoS attack.

Publish Date: 2024-11-18

URL: CVE-2024-38828

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

CVE-2022-22970

Vulnerable Libraries - spring-core-5.3.4.jar, spring-core-5.3.5.jar, spring-beans-5.3.4.jar

spring-core-5.3.4.jar

Spring Core

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-core/5.3.4/46c1f8abd9e02a292c42a257350f365cec152b5d/spring-core-5.3.4.jar

Dependency Hierarchy:

  • spring-webmvc-5.3.4.jar (Root Library)
    • spring-core-5.3.4.jar (Vulnerable Library)

spring-core-5.3.5.jar

Spring Core

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-core/5.3.5/633de7c79bfeccf05c81a0d4a32b3336010f06ab/spring-core-5.3.5.jar

Dependency Hierarchy:

  • spring-webmvc-5.3.4.jar (Root Library)
    • spring-core-5.3.5.jar (Vulnerable Library)

spring-beans-5.3.4.jar

Spring Beans

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-beans/5.3.4/ac6c5ea0ba82f555405f74104cf378f8071c6d25/spring-beans-5.3.4.jar

Dependency Hierarchy:

  • spring-webmvc-5.3.4.jar (Root Library)
    • spring-beans-5.3.4.jar (Vulnerable Library)

Found in HEAD commit: 4cad55c933ef7b8dacffcf50bed01c27666b4018

Found in base branch: main

Vulnerability Details

In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.

Publish Date: 2022-05-12

URL: CVE-2022-22970

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://tanzu.vmware.com/security/cve-2022-22970

Release Date: 2022-05-12

Fix Resolution (org.springframework:spring-core): 5.3.20

Direct dependency fix Resolution (org.springframework:spring-webmvc): 5.3.20

Fix Resolution (org.springframework:spring-core): 5.3.20

Direct dependency fix Resolution (org.springframework:spring-webmvc): 5.3.20

Fix Resolution (org.springframework:spring-beans): 5.3.20

Direct dependency fix Resolution (org.springframework:spring-webmvc): 5.3.20

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-22968

Vulnerable Library - spring-context-5.3.4.jar

Spring Context

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-context/5.3.4/fbeadeb0e4d272599a938ec345e99e5f9a76e919/spring-context-5.3.4.jar

Dependency Hierarchy:

  • spring-webmvc-5.3.4.jar (Root Library)
    • spring-context-5.3.4.jar (Vulnerable Library)

Found in HEAD commit: 4cad55c933ef7b8dacffcf50bed01c27666b4018

Found in base branch: main

Vulnerability Details

In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path.

Publish Date: 2022-04-14

URL: CVE-2022-22968

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://tanzu.vmware.com/security/cve-2022-22968

Release Date: 2022-04-14

Fix Resolution (org.springframework:spring-context): 5.3.19

Direct dependency fix Resolution (org.springframework:spring-webmvc): 5.3.19

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2024-38808

Vulnerable Library - spring-expression-5.3.4.jar

Spring Expression Language (SpEL)

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-expression/5.3.4/42b71fa955e43a86471509aef14cefe756fc3794/spring-expression-5.3.4.jar

Dependency Hierarchy:

  • spring-webmvc-5.3.4.jar (Root Library)
    • spring-expression-5.3.4.jar (Vulnerable Library)

Found in HEAD commit: 4cad55c933ef7b8dacffcf50bed01c27666b4018

Found in base branch: main

Vulnerability Details

In Spring Framework versions 5.3.0 - 5.3.38 and older unsupported versions, it is possible for a user to provide a specially crafted Spring Expression Language (SpEL) expression that may cause a denial of service (DoS) condition.
Specifically, an application is vulnerable when the following is true:

  • The application evaluates user-supplied SpEL expressions.
    Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2024-08-20

URL: CVE-2024-38808

CVSS 3 Score Details (4.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2024-38808

Release Date: 2024-08-20

Fix Resolution (org.springframework:spring-expression): 5.3.39

Direct dependency fix Resolution (org.springframework:spring-webmvc): 5.3.39

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-22096

Vulnerable Libraries - spring-core-5.3.4.jar, spring-webmvc-5.3.4.jar, spring-core-5.3.5.jar

spring-core-5.3.4.jar

Spring Core

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-core/5.3.4/46c1f8abd9e02a292c42a257350f365cec152b5d/spring-core-5.3.4.jar

Dependency Hierarchy:

  • spring-webmvc-5.3.4.jar (Root Library)
    • spring-core-5.3.4.jar (Vulnerable Library)

spring-webmvc-5.3.4.jar

Spring Web MVC

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /build.gradle.kts

Path to vulnerable library: /les-2/files-2.1/org.springframework/spring-webmvc/5.3.4/8dd52fbe8eafcc7c80998087ec6635baf7a98c20/spring-webmvc-5.3.4.jar

Dependency Hierarchy:

  • spring-webmvc-5.3.4.jar (Vulnerable Library)

spring-core-5.3.5.jar

Spring Core

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-core/5.3.5/633de7c79bfeccf05c81a0d4a32b3336010f06ab/spring-core-5.3.5.jar

Dependency Hierarchy:

  • spring-webmvc-5.3.4.jar (Root Library)
    • spring-core-5.3.5.jar (Vulnerable Library)

Found in HEAD commit: 4cad55c933ef7b8dacffcf50bed01c27666b4018

Found in base branch: main

Vulnerability Details

In Spring Framework versions 5.3.0 - 5.3.10, 5.2.0 - 5.2.17, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries.

Publish Date: 2021-10-28

URL: CVE-2021-22096

CVSS 3 Score Details (4.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://tanzu.vmware.com/security/cve-2021-22096

Release Date: 2021-10-28

Fix Resolution (org.springframework:spring-core): 5.3.12

Direct dependency fix Resolution (org.springframework:spring-webmvc): 5.3.12

Fix Resolution (org.springframework:spring-core): 5.3.12

Direct dependency fix Resolution (org.springframework:spring-webmvc): 5.3.12

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-22060

Vulnerable Libraries - spring-core-5.3.4.jar, spring-core-5.3.5.jar

spring-core-5.3.4.jar

Spring Core

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-core/5.3.4/46c1f8abd9e02a292c42a257350f365cec152b5d/spring-core-5.3.4.jar

Dependency Hierarchy:

  • spring-webmvc-5.3.4.jar (Root Library)
    • spring-core-5.3.4.jar (Vulnerable Library)

spring-core-5.3.5.jar

Spring Core

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-core/5.3.5/633de7c79bfeccf05c81a0d4a32b3336010f06ab/spring-core-5.3.5.jar

Dependency Hierarchy:

  • spring-webmvc-5.3.4.jar (Root Library)
    • spring-core-5.3.5.jar (Vulnerable Library)

Found in HEAD commit: 4cad55c933ef7b8dacffcf50bed01c27666b4018

Found in base branch: main

Vulnerability Details

In Spring Framework versions 5.3.0 - 5.3.13, 5.2.0 - 5.2.18, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries. This is a follow-up to CVE-2021-22096 that protects against additional types of input and in more places of the Spring Framework codebase.

Publish Date: 2022-01-07

URL: CVE-2021-22060

CVSS 3 Score Details (4.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2021-22060

Release Date: 2022-01-07

Fix Resolution (org.springframework:spring-core): 5.3.14

Direct dependency fix Resolution (org.springframework:spring-webmvc): 5.3.14

Fix Resolution (org.springframework:spring-core): 5.3.14

Direct dependency fix Resolution (org.springframework:spring-webmvc): 5.3.14

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2026-22741

Vulnerable Library - spring-webmvc-5.3.4.jar

Spring Web MVC

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /build.gradle.kts

Path to vulnerable library: /les-2/files-2.1/org.springframework/spring-webmvc/5.3.4/8dd52fbe8eafcc7c80998087ec6635baf7a98c20/spring-webmvc-5.3.4.jar

Dependency Hierarchy:

  • spring-webmvc-5.3.4.jar (Vulnerable Library)

Found in HEAD commit: 4cad55c933ef7b8dacffcf50bed01c27666b4018

Found in base branch: main

Vulnerability Details

Spring MVC and WebFlux applications are vulnerable to cache poisoning when resolving static resources.

More precisely, an application can be vulnerable when all the following are true:

the application is using Spring MVC or Spring WebFlux
the application is configuring the resource chain support with caching enabled
the application adds support for encoded resources resolution
the resource cache must be empty when the attacker has access to the application
When all the conditions above are met, the attacker can send malicious requests and poison the resource cache with resources using the wrong encoding. This can cause a denial of service by breaking the front-end application for clients.

Publish Date: 2026-04-18

URL: CVE-2026-22741

CVSS 3 Score Details (3.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2026-22741

Release Date: 2026-04-18

Fix Resolution: org.springframework:spring-webmvc:7.0.7,org.springframework:spring-webmvc:6.2.18,https://github.com/spring-projects/spring-framework.git - v7.0.7,org.springframework:spring-webflux:6.2.18,org.springframework:spring-webflux:7.0.7,https://github.com/spring-projects/spring-framework.git - v6.2.18

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2025-22233

Vulnerable Library - spring-context-5.3.4.jar

Spring Context

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-context/5.3.4/fbeadeb0e4d272599a938ec345e99e5f9a76e919/spring-context-5.3.4.jar

Dependency Hierarchy:

  • spring-webmvc-5.3.4.jar (Root Library)
    • spring-context-5.3.4.jar (Vulnerable Library)

Found in HEAD commit: 4cad55c933ef7b8dacffcf50bed01c27666b4018

Found in base branch: main

Vulnerability Details

CVE-2024-38820 ensured Locale-independent, lowercase conversion for both the configured disallowedFields patterns and for request parameter names. However, there are still cases where it is possible to bypass the disallowedFields checks.
Affected Spring Products and Versions
Spring Framework:

  • 6.2.0 - 6.2.6
  • 6.1.0 - 6.1.19
  • 6.0.0 - 6.0.27
  • 5.3.0 - 5.3.42
  • Older, unsupported versions are also affected
    Mitigation
    Users of affected versions should upgrade to the corresponding fixed version.
    Affected version(s)Fix Version Availability 6.2.x
    6.2.7
    OSS6.1.x
    6.1.20
    OSS6.0.x
    6.0.28
    Commercial https://enterprise.spring.io/ 5.3.x
    5.3.43
    Commercial https://enterprise.spring.io/
    No further mitigation steps are necessary.
    Generally, we recommend using a dedicated model object with properties only for data binding, or using constructor binding since constructor arguments explicitly declare what to bind together with turning off setter binding through the declarativeBinding flag. See the Model Design section in the reference documentation.
    For setting binding, prefer the use of allowedFields (an explicit list) over disallowedFields.
    Credit
    This issue was responsibly reported by the TERASOLUNA Framework Development Team from NTT DATA Group Corporation.

Publish Date: 2025-05-16

URL: CVE-2025-22233

CVSS 3 Score Details (3.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2025-22233

Release Date: 2025-05-16

Fix Resolution: https://github.com/spring-projects/spring-framework.git - v6.1.20 ,org.springframework:spring-context:6.1.20,org.springframework:spring-context:6.2.7,https://github.com/spring-projects/spring-framework.git - v6.2.7

CVE-2024-38820

Vulnerable Libraries - spring-core-5.3.4.jar, spring-core-5.3.5.jar, spring-context-5.3.4.jar, spring-webmvc-5.3.4.jar

spring-core-5.3.4.jar

Spring Core

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-core/5.3.4/46c1f8abd9e02a292c42a257350f365cec152b5d/spring-core-5.3.4.jar

Dependency Hierarchy:

  • spring-webmvc-5.3.4.jar (Root Library)
    • spring-core-5.3.4.jar (Vulnerable Library)

spring-core-5.3.5.jar

Spring Core

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-core/5.3.5/633de7c79bfeccf05c81a0d4a32b3336010f06ab/spring-core-5.3.5.jar

Dependency Hierarchy:

  • spring-webmvc-5.3.4.jar (Root Library)
    • spring-core-5.3.5.jar (Vulnerable Library)

spring-context-5.3.4.jar

Spring Context

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-context/5.3.4/fbeadeb0e4d272599a938ec345e99e5f9a76e919/spring-context-5.3.4.jar

Dependency Hierarchy:

  • spring-webmvc-5.3.4.jar (Root Library)
    • spring-context-5.3.4.jar (Vulnerable Library)

spring-webmvc-5.3.4.jar

Spring Web MVC

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /build.gradle.kts

Path to vulnerable library: /les-2/files-2.1/org.springframework/spring-webmvc/5.3.4/8dd52fbe8eafcc7c80998087ec6635baf7a98c20/spring-webmvc-5.3.4.jar

Dependency Hierarchy:

  • spring-webmvc-5.3.4.jar (Vulnerable Library)

Found in HEAD commit: 4cad55c933ef7b8dacffcf50bed01c27666b4018

Found in base branch: main

Vulnerability Details

The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase() has some Locale dependent exceptions that could potentially result in fields not protected as expected.

Publish Date: 2024-10-18

URL: CVE-2024-38820

CVSS 3 Score Details (3.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2024-38820

Release Date: 2024-10-18

Fix Resolution: org.springframework:spring-context:6.1.14

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2026-22735

Vulnerable Library - spring-webmvc-5.3.4.jar

Spring Web MVC

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /build.gradle.kts

Path to vulnerable library: /les-2/files-2.1/org.springframework/spring-webmvc/5.3.4/8dd52fbe8eafcc7c80998087ec6635baf7a98c20/spring-webmvc-5.3.4.jar

Dependency Hierarchy:

  • spring-webmvc-5.3.4.jar (Vulnerable Library)

Found in HEAD commit: 4cad55c933ef7b8dacffcf50bed01c27666b4018

Found in base branch: main

Vulnerability Details

Spring MVC and WebFlux applications are vulnerable to stream corruption when using Server-Sent Events (SSE). This issue affects Spring Foundation: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46.

Publish Date: 2026-03-19

URL: CVE-2026-22735

CVSS 3 Score Details (2.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2026-22735

Release Date: 2026-03-19

Fix Resolution: org.springframework:spring-webmvc:7.0.6,https://github.com/spring-projects/spring-framework.git - v7.0.6,https://github.com/spring-projects/spring-framework.git - v6.1.21,org.springframework:spring-web:7.0.6,org.springframework:spring-web:6.2.17,org.springframework:spring-webmvc:6.2.17,https://github.com/spring-projects/spring-framework.git - v6.2.17

⛑️ Automatic Remediation will be attempted for this issue.

⛑️Automatic Remediation will be attempted for this issue.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions