41 results (0.010 seconds)

CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0

In Spring Framework versions 6.0.15 and 6.1.2, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. Specifically, an application is vulnerable when all of the following are true: * the application uses Spring MVC * Spring Security 6.1.6+ or 6.2.1+ is on the classpath Typically, Spring Boot applications need the org.springframework.boot:spring-boot-starter-web and org.springframework.boot:spring-boot-starter-security dependencies to meet all conditions. En las versiones 6.0.15 y 6.1.2 de Spring Framework, es posible que un usuario proporcione solicitudes HTTP especialmente manipuladas que pueden causar una condición de denegación de servicio (DoS). Específicamente, una aplicación es vulnerable cuando se cumple todo lo siguiente: * la aplicación usa Spring MVC * Spring Security 6.1.6+ o 6.2.1+ está en el classpath Normalmente, las aplicaciones Spring Boot necesitan org.springframework.boot:spring-boot-starter-web y org.springframework.boot:spring-boot-starter-security para cumplir con todas las condiciones. • https://security.netapp.com/advisory/ntap-20240614-0005 https://spring.io/security/cve-2024-22233 •

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0

In Spring Framework versions 6.0.0 - 6.0.13, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. Specifically, an application is vulnerable when all of the following are true: * the application uses Spring MVC or Spring WebFlux * io.micrometer:micrometer-core is on the classpath * an ObservationRegistry is configured in the application to record observations Typically, Spring Boot applications need the org.springframework.boot:spring-boot-actuator dependency to meet all conditions. En las versiones 6.0.0 - 6.0.13 de Spring Framework, es posible que un usuario proporcione solicitudes HTTP especialmente manipuladas que pueden causar una condición de denegación de servicio (DoS). Específicamente, una aplicación es vulnerable cuando se cumple todo lo siguiente: * la aplicación usa Spring MVC o Spring WebFlux * io.micrometer:micrometer-core está en el classpath * un ObservationRegistry está configurado en la aplicación para registrar observaciones Typically, Spring Boot las aplicaciones necesitan la dependencia org.springframework.boot:spring-boot-actuator para cumplir con todas las condiciones. • https://security.netapp.com/advisory/ntap-20231214-0007 https://spring.io/security/cve-2023-34053 •

CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 1

An issue in Dromara SaToken version 1.36.0 and before allows a remote attacker to escalate privileges via a crafted payload to the URL. Un problema en Dromara SaToken versión 1.36.0 y anteriores permite a un atacante remoto escalar privilegios a través de un payload manipulado a la URL. • https://github.com/dromara/Sa-Token/issues/515 • CWE-284: Improper Access Control •

CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0

In spring framework versions prior to 5.2.24 release+ ,5.3.27+ and 6.0.8+ , it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition. A flaw was found in Spring Framework. Certain versions of Spring Framework's Expression Language were not restricting the size of Spring Expressions. This could allow an attacker to craft a malicious Spring Expression to cause a denial of service on the server. • https://security.netapp.com/advisory/ntap-20240524-0015 https://spring.io/security/cve-2023-20863 https://access.redhat.com/security/cve/CVE-2023-20863 https://bugzilla.redhat.com/show_bug.cgi?id=2187742 • CWE-400: Uncontrolled Resource Consumption CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') •

CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 1

Spring Framework running version 6.0.0 - 6.0.6 or 5.3.0 - 5.3.25 using "**" as a pattern in Spring Security configuration with the mvcRequestMatcher creates a mismatch in pattern matching between Spring Security and Spring MVC, and the potential for a security bypass. A flaw was found in Spring Framework. In this vulnerability, a security bypass is possible due to the behavior of the wildcard pattern. • https://github.com/limo520/CVE-2023-20860 https://security.netapp.com/advisory/ntap-20230505-0006 https://spring.io/security/cve-2023-20860 https://access.redhat.com/security/cve/CVE-2023-20860 https://bugzilla.redhat.com/show_bug.cgi?id=2180528 • CWE-155: Improper Neutralization of Wildcards or Matching Symbols •