Shodan
Vulnerabilities
Vulnerable Software
Vmware:  >> Spring Framework  >> 5.3.26  Security Vulnerabilities
CVE-2024-38820
The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase() has some Locale dependent exceptions that could potentially result in fields not protected as expected.
CVSS Score
3.1
EPSS Score
0.001
Published
2024-10-18
CVE-2024-38808
In Spring Framework versions 5.3.0 - 5.3.38 and older unsupported versions, it is possible for a user to provide a specially crafted Spring Expression Language (SpEL) expression that may cause a denial of service (DoS) condition. Specifically, an application is vulnerable when the following is true: * The application evaluates user-supplied SpEL expressions.
CVSS Score
4.3
EPSS Score
0.003
Published
2024-08-20
CVE-2024-22259
Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html  attack or to a SSRF attack if the URL is used after passing validation checks. This is the same as CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input.
CVSS Score
8.1
EPSS Score
0.305
Published
2024-03-16
CVE-2023-44794
An issue in Dromara SaToken version 1.36.0 and before allows a remote attacker to escalate privileges via a crafted payload to the URL.
CVSS Score
9.8
EPSS Score
0.02
Published
2023-10-25
CVE-2023-20863
In spring framework versions prior to 5.2.24 release+ ,5.3.27+ and 6.0.8+ , it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.
CVSS Score
6.5
EPSS Score
0.008
Published
2023-04-13
CVE-2016-1000027
Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.
CVSS Score
9.8
EPSS Score
0.592
Published
2020-01-02


Products
Pricing
Contact Us

Shodan ® - All rights reserved