This page lists Spring advisories.
CVE-2024-22263: Arbitrary File Write Vulnerability in Spring Cloud Data Flow
CVE-2024-22262: Spring Framework URL Parsing with Host Validation (3rd report)
Description
Applications that use UriComponentsBuilder
to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect attack or to a SSRF attack if the URL…
CVE-2024-22258: PKCE Downgrade in Spring Authorization Server
Description
Spring Authorization Server versions 1.0.0 - 1.0.5, 1.1.0 - 1.1.5, 1.2.0 - 1.2.2 and older unsupported versions are susceptible to a PKCE Downgrade Attack for Confidential Clients.
Specifically, an application is vulnerable when a Confidential Client uses PKCE for the Authorization Code…
CVE-2024-22257: Possible Broken Access Control in Spring Security With Direct Use of AuthenticatedVoter
CVE-2024-22259: Spring Framework URL Parsing with Host Validation (2nd report)
Description
Applications that use UriComponentsBuilder
to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect attack or to a SSRF attack if the URL…
CVE-2024-22243: Spring Framework URL Parsing with Host Validation
Description
Applications that use UriComponentsBuilder
to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect attack or to a SSRF attack if the URL…
CVE-2024-22234: Broken Access Control in Spring Security With Direct Use of isFullyAuthenticated
CVE-2024-22236: local information disclosure via temporary directory created with unsafe permissions
Description
In Spring Cloud Contract, versions 4.1.x prior to 4.1.1, versions 4.0.x prior to 4.0.5, and versions 3.1.x prior to 3.1.10, test execution is vulnerable to local information disclosure via temporary directory created with unsafe permissions through the shaded com.google.guava:guava dependency in the org.springframework.cloud:spring-cloud-contract-shade dependency.
Affected Spring Products and Versions
- Spring Cloud Contract
- 4.1.0
- 4.0.0 to 4.0.5
- 3.1.0 to 3.1.10
Mitigation
Upgrade Spring Cloud Contract to 3.1.10 or 4.0.5 or 4.1.1.
Users of affected versions should apply the following mitigation. 4.1.x users should upgrade to 4.1.1. 4.0.x users should upgrade to 4.0.5. 3.1.x users should upgrade to 3.1.10. No other steps are necessary. Releases that have fixed this issue include:
- Spring Cloud Contract
- 4.1.1
- 4.0.5
- 3.1.10
Credit
This issue was identified and responsibly reported by Michael Kimball from Oddball.
References
CVE-2024-22233: Spring Framework server Web DoS Vulnerability
Description
In Spring Framework versions 6.0.15 and 6.1.2, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition.
Specifically, an application is vulnerable when all of the following are true:
- the application uses Spring MVC
- Spring Security 6.1.6+ or 6.2.1+ is on the classpath …
Reporting a vulnerability
To report a security vulnerability for a project within the Spring portfolio, see the Security Policy