CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-34053 – Spring Framework server Web Observations DoS Vulnerability
https://notcve.org/view.php?id=CVE-2023-34053
28 Nov 2023 — In Spring Framework versions 6.0.0 - 6.0.13, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. Specifically, an application is vulnerable when all of the following are true: * the application uses Spring MVC or Spring WebFlux * io.micrometer:micrometer-core is on the classpath * an ObservationRegistry is configured in the application to record observations Typically, Spring Boot applications need the org.springframework.boot:spring-boot-... • https://security.netapp.com/advisory/ntap-20231214-0007 •
CVSS: 10.0EPSS: 0%CPEs: 3EXPL: 0CVE-2023-20863 – springframework: Spring Expression DoS Vulnerability
https://notcve.org/view.php?id=CVE-2023-20863
13 Apr 2023 — In spring framework versions prior to 5.2.24 release+ ,5.3.27+ and 6.0.8+ , it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition. A flaw was found in Spring Framework. Certain versions of Spring Framework's Expression Language were not restricting the size of Spring Expressions. This could allow an attacker to craft a malicious Spring Expression to cause a denial of service on the server. This release of Camel for Spring Boot 3.20.1 serv... • https://security.netapp.com/advisory/ntap-20240524-0015 • CWE-400: Uncontrolled Resource Consumption CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 1CVE-2023-20860 – springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern
https://notcve.org/view.php?id=CVE-2023-20860
27 Mar 2023 — Spring Framework running version 6.0.0 - 6.0.6 or 5.3.0 - 5.3.25 using "**" as a pattern in Spring Security configuration with the mvcRequestMatcher creates a mismatch in pattern matching between Spring Security and Spring MVC, and the potential for a security bypass. A flaw was found in Spring Framework. In this vulnerability, a security bypass is possible due to the behavior of the wildcard pattern. Red Hat support for Spring Boot provides an application platform that reduces the complexity of developing ... • https://github.com/limo520/CVE-2023-20860 • CWE-155: Improper Neutralization of Wildcards or Matching Symbols •
CVSS: 6.8EPSS: 0%CPEs: 3EXPL: 0CVE-2023-20861 – springframework: Spring Expression DoS Vulnerability
https://notcve.org/view.php?id=CVE-2023-20861
23 Mar 2023 — In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition. A flaw found was found in Spring Framework. This flaw allows a malicious user to use a specially crafted SpEL expression that causes a denial of service (DoS). Red Hat support for Spring Boot provides an application platform that reduces the complexity of develop... • https://security.netapp.com/advisory/ntap-20230420-0007 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 5CVE-2016-1000027
https://notcve.org/view.php?id=CVE-2016-1000027
02 Jan 2020 — Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data. Pivotal Spring Framework hasta la versión 5.3.16 su... • https://github.com/artem-smotrakov/cve-2016-1000027-poc • CWE-502: Deserialization of Untrusted Data •