org.springframework:spring-core
Maven18 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting org.springframework:spring-corepage 1 of 1
- CVE-2009-1190NONECVSS 0.0EG 0.0✓ Fixed in 3.0.0.RELEASE2009-04-27
vulnerable: 1.1 ... 2.5.6.SEC03 (44 versions)
Algorithmic complexity vulnerability in the java.util.regex.Pattern.compile method in Sun Java Development Kit (JDK) before 1.6, when used with spring.jar in SpringSource Spring Framework 1.1.0 through 2.5.6 and 3.0.0.M1 through 3.0.0.M2 a…
- CVE-2011-2730NONECVSS 0.0EG 0.0✓ Fixed in 2.5.7.SR0232012-12-05
VMware SpringSource Spring Framework before 2.5.6.SEC03, 2.5.7.SR023, and 3.x before 3.0.6, when a container supports Expression Language (EL), evaluates EL expressions in tags twice, which allows remote attackers to obtain sensitive infor…
- CVE-2011-2894NONECVSS 0.0EG 0.0✓ Fixed in 3.0.62011-10-04
vulnerable: 3.0.0.RELEASE ... 3.0.5.RELEASE (6 versions)
Spring Framework 3.0.0 through 3.0.5, Spring Security 3.0.0 through 3.0.5 and 2.0.0 through 2.0.6, and possibly other versions deserialize objects from untrusted sources, which allows remote attackers to bypass intended security restrictio…
- CVE-2014-3578NONECVSS 0.0EG 0.0✓ Fixed in 4.0.52015-02-19
vulnerable: 4.0.0.RELEASE, 4.0.1.RELEASE, 4.0.2.RELEASE, 4.0.3.RELEASE, 4.0.4.RELEASE
Directory traversal vulnerability in Pivotal Spring Framework 3.x before 3.2.9 and 4.0 before 4.0.5 allows remote attackers to read arbitrary files via a crafted URL.
- CVE-2015-0201NONECVSS 0.0EG 0.0✓ Fixed in 4.1.52015-03-10
vulnerable: 4.1.0.RELEASE, 4.1.1.RELEASE, 4.1.2.RELEASE, 4.1.3.RELEASE, 4.1.4.RELEASE
The Java SockJS client in Pivotal Spring Framework 4.1.x before 4.1.5 generates predictable session ids, which allows remote attackers to send messages to other sessions via unspecified vectors.
- CVE-2015-5211CRITICALCVSS 9.6EG 9.6✓ Fixed in 3.2.152017-05-25
vulnerable: 1.0 ... 3.2.9.RELEASE (77 versions)
Under some situations, the Spring Framework 4.2.0 to 4.2.1, 4.0.0 to 4.1.7, 3.2.0 to 3.2.14 and older unsupported versions is vulnerable to a Reflected File Download (RFD) attack. The attack involves a malicious user crafting a URL with a …
- CVE-2016-5007HIGHCVSS 7.5EG 7.5✓ Fixed in 4.3.12017-05-25
vulnerable: 1.0 ... 4.3.0.RELEASE (112 versions)
Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern …
- CVE-2018-11040HIGHCVSS 7.5EG 7.5✓ Fixed in 4.3.18.RELEASE2018-06-25
vulnerable: 4.3.0.RELEASE ... 4.3.9.RELEASE (18 versions)
Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for RES…
- CVE-2018-1199MEDIUMCVSS 5.3EG 5.3✓ Fixed in 5.0.32018-03-16
vulnerable: 5.0.0.RELEASE, 5.0.1.RELEASE, 5.0.2.RELEASE
Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3) does not consider URL path parameters when processing security constraints. B…
- CVE-2018-1257MEDIUMCVSS 6.5EG 6.5✓ Fixed in 4.3.172018-05-11
vulnerable: 1.0 ... 4.3.9.RELEASE (128 versions)
Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging…
- CVE-2018-1258HIGHCVSS 8.8EG 8.8✓ Fixed in 5.0.6.RELEASE2018-05-11
vulnerable: 5.0.5.RELEASE
Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be…
- CVE-2018-1271MEDIUMCVSS 5.9EG 9.0✓ Fixed in 4.3.152018-04-06
vulnerable: 1.0 ... 4.3.9.RELEASE (126 versions)
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served fr…
- CVE-2018-1272HIGHCVSS 7.5EG 7.5✓ Fixed in 5.0.52018-04-06
vulnerable: 5.0.0.RELEASE, 5.0.1.RELEASE, 5.0.2.RELEASE, 5.0.3.RELEASE, 5.0.4.RELEASE
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives inp…
- CVE-2018-15756HIGHCVSS 7.5EG 7.5✓ Fixed in 4.3.20.RELEASE2018-10-18
vulnerable: 4.2.0.RELEASE ... 4.3.9.RELEASE (30 versions)
Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequ…
- CVE-2021-22060MEDIUMCVSS 4.3EG 4.3✓ Fixed in 5.2.192022-01-10
vulnerable: 5.2.0.RELEASE ... 5.2.9.RELEASE (19 versions)
In Spring Framework versions 5.3.0 - 5.3.13, 5.2.0 - 5.2.18, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries. This is a follow-up to CVE-2021-22096 that …
- CVE-2021-22096MEDIUMCVSS 4.3EG 4.3✓ Fixed in 5.2.182021-10-28
vulnerable: 5.2.0.RELEASE ... 5.2.9.RELEASE (18 versions)
In Spring Framework versions 5.3.0 - 5.3.10, 5.2.0 - 5.2.17, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries.
- CVE-2024-22233HIGHCVSS 7.5EG 7.5✓ Fixed in 6.0.162024-01-22
vulnerable: 6.0.15
In Spring Framework versions 6.0.15 and 6.1.2, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. Specifically, an application is vulnerable when all of the following a…
- CVE-2025-41249HIGHCVSS 7.5EG 7.5✓ Fixed in 6.2.112025-09-16
vulnerable: 6.2.0 ... 6.2.9 (11 versions)
The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue if such annotations are used for aut…
Check whether org.springframework:spring-core is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for org.springframework:spring-core CVEs against the assets you own.
Start Free Scan →