CVSS: 5.3EPSS: 22%CPEs: 5EXPL: 2CVE-2014-3625 – Framework: directory traversal flaw
https://notcve.org/view.php?id=CVE-2014-3625
20 Nov 2014 — Directory traversal vulnerability in Pivotal Spring Framework 3.0.4 through 3.2.x before 3.2.12, 4.0.x before 4.0.8, and 4.1.x before 4.1.2 allows remote attackers to read arbitrary files via unspecified vectors, related to static resource handling. Vulnerabilidad de salto de directorio (Directory Traversal) en Pivotal Spring Framework versión 3.0.4 hasta 3.2.x anterior a 3.2.12, versión 4.0.x anterior a 4.0.8 y versión 4.1.x anterior a 4.1.2, permite a atacantes remotos leer archivos arbitrarios por medio ... • https://github.com/ilmila/springcss-cve-2014-3625 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.8EPSS: 0%CPEs: 34EXPL: 0CVE-2014-0225 – Framework: Information disclosure via SSRF
https://notcve.org/view.php?id=CVE-2014-0225
02 Oct 2014 — When processing user provided XML documents, the Spring Framework 4.0.0 to 4.0.4, 3.0.0 to 3.2.8, and possibly earlier unsupported versions did not disable by default the resolution of URI references in a DTD declaration. This enabled an XXE attack. Al procesar un documento XML proporcionado por el usuario, el Framework Spring, versiones de la 4.0.0 a la 4.0.4 y de la 3.0.0 a la 3.2.8 y otras versiones anteriores ya no soportadas, no desactiva por defecto la resolución de las referencias URI en una declarac... • https://pivotal.io/security/cve-2014-0225 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 6.8EPSS: 79%CPEs: 34EXPL: 0CVE-2014-0054 – Framework: incomplete fix for CVE-2013-7315/CVE-2013-6429
https://notcve.org/view.php?id=CVE-2014-0054
12 Mar 2014 — The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429. Jaxb2RootElementHttpMessageConverter en Spring MVC en Spring Framework anterio... • http://rhn.redhat.com/errata/RHSA-2014-0400.html • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.8EPSS: 0%CPEs: 28EXPL: 1CVE-2013-7315
https://notcve.org/view.php?id=CVE-2013-7315
23 Jan 2014 — The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152. NOTE: this issue was SPLIT from CVE-2013-4152 due to different affected versions. El Spring MVC en Spring Framework anterior ... • http://seclists.org/bugtraq/2013/Aug/154 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.8EPSS: 86%CPEs: 4EXPL: 0CVE-2013-6429 – Framework: XML External Entity (XXE) injection flaw
https://notcve.org/view.php?id=CVE-2013-6429
15 Jan 2014 — The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152 and CVE-2013-7315. El SourceHttpMessageConverter en Spring MVC en Spring Framework antes de 3.2.5 y 4.0.0.M1 hasta 4.0.0.RC1 no desactiva resoluc... • http://rhn.redhat.com/errata/RHSA-2014-0400.html • CWE-352: Cross-Site Request Forgery (CSRF) CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 6.8EPSS: 84%CPEs: 27EXPL: 1CVE-2013-4152 – Framework: XML External Entity (XXE) injection flaw
https://notcve.org/view.php?id=CVE-2013-4152
23 Aug 2013 — The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue. El wrapper Spring OXM en Spring Framework anterior a la versión 3... • http://rhn.redhat.com/errata/RHSA-2014-0212.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.5EPSS: 10%CPEs: 2EXPL: 1CVE-2011-2894 – Security: Chosen commands execution on the server (Framework) or authentication token bypass (Security) by objects de-serialization
https://notcve.org/view.php?id=CVE-2011-2894
04 Oct 2011 — Spring Framework 3.0.0 through 3.0.5, Spring Security 3.0.0 through 3.0.5 and 2.0.0 through 2.0.6, and possibly other versions deserialize objects from untrusted sources, which allows remote attackers to bypass intended security restrictions and execute untrusted code by (1) serializing a java.lang.Proxy instance and using InvocationHandler, or (2) accessing internal AOP interfaces, as demonstrated using deserialization of a DefaultListableBeanFactory instance to execute arbitrary commands via the java.lang... • https://github.com/pwntester/SpringBreaker • CWE-502: Deserialization of Untrusted Data •