CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-22095
https://notcve.org/view.php?id=CVE-2021-22095
30 Nov 2021 — In Spring AMQP versions 2.2.0 - 2.2.19 and 2.3.0 - 2.3.11, the Spring AMQP Message object, in its toString() method, will create a new String object from the message body, regardless of its size. This can cause an OOM Error with a large message En Spring AMQP versiones 2.2.0 - 2.2.19 y 2.3.0 - 2.3.11, el objeto Spring AMQP Message, en su método toString(), crea un nuevo objeto String a partir del cuerpo del mensaje, independientemente de su tamaño. Esto puede causar un error OOM con un mensaje grande • https://tanzu.vmware.com/security/cve-2021-22097 • CWE-502: Deserialization of Untrusted Data •
CVSS: 8.8EPSS: 89%CPEs: 1EXPL: 2CVE-2021-22053
https://notcve.org/view.php?id=CVE-2021-22053
19 Nov 2021 — Applications using both `spring-cloud-netflix-hystrix-dashboard` and `spring-boot-starter-thymeleaf` expose a way to execute code submitted within the request URI path during the resolution of view templates. When a request is made at `/hystrix/monitor;[user-provided data]`, the path elements following `hystrix/monitor` are being evaluated as SpringEL expressions, which can lead to code execution. Las aplicaciones que usan tanto "spring-cloud-netflix-hystrix-dashboard" como "spring-boot-starter-thymeleaf" e... • https://github.com/Vulnmachines/CVE-2021-22053 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-22051
https://notcve.org/view.php?id=CVE-2021-22051
08 Nov 2021 — Applications using Spring Cloud Gateway are vulnerable to specifically crafted requests that could make an extra request on downstream services. Users of affected versions should apply the following mitigation: 3.0.x users should upgrade to 3.0.5+, 2.2.x users should upgrade to 2.2.10.RELEASE or newer. Las aplicaciones que usan Spring Cloud Gateway son vulnerables a unas peticiones específicamente diseñadas que podrían hacer una petición extra en los servicios posteriores. Los usuarios de las versiones afec... • https://tanzu.vmware.com/security/cve-2021-22051 • CWE-863: Incorrect Authorization •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2021-22097
https://notcve.org/view.php?id=CVE-2021-22097
28 Oct 2021 — In Spring AMQP versions 2.2.0 - 2.2.18 and 2.3.0 - 2.3.10, the Spring AMQP Message object, in its toString() method, will deserialize a body for a message with content type application/x-java-serialized-object. It is possible to construct a malicious java.util.Dictionary object that can cause 100% CPU usage in the application if the toString() method is called. En Spring AMQP versiones 2.2.0 - 2.2.18 y 2.3.0 - 2.3.10, el objeto Spring AMQP Message, en su método toString(), deserializará un cuerpo para un me... • https://tanzu.vmware.com/security/cve-2021-22097 • CWE-502: Deserialization of Untrusted Data •
CVSS: 4.3EPSS: 0%CPEs: 11EXPL: 0CVE-2021-22096 – springframework: malicious input leads to insertion of additional log entries
https://notcve.org/view.php?id=CVE-2021-22096
28 Oct 2021 — In Spring Framework versions 5.3.0 - 5.3.10, 5.2.0 - 5.2.17, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries. En Spring Framework versiones 5.3.0 - 5.3.10, 5.2.0 - 5.2.17, y en versiones anteriores no soportadas, es posible para un usuario proporcionar una entrada maliciosa para causar una inserción de entradas de registro adicionales Red Hat Decision Manager is an open source decision management platform that combines bus... • https://security.netapp.com/advisory/ntap-20211125-0005 • CWE-117: Improper Output Neutralization for Logs •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2021-22047
https://notcve.org/view.php?id=CVE-2021-22047
28 Oct 2021 — In Spring Data REST versions 3.4.0 - 3.4.13, 3.5.0 - 3.5.5, and older unsupported versions, HTTP resources implemented by custom controllers using a configured base API path and a controller type-level request mapping are additionally exposed under URIs that can potentially be exposed for unauthorized access depending on the Spring Security configuration. En Spring Data REST versiones 3.4.0 - 3.4.13, 3.5.0 - 3.5.5, y versiones anteriores no soportadas, los recursos HTTP implementados por controladores perso... • https://tanzu.vmware.com/security/cve-2021-22047 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-22044
https://notcve.org/view.php?id=CVE-2021-22044
28 Oct 2021 — In Spring Cloud OpenFeign 3.0.0 to 3.0.4, 2.2.0.RELEASE to 2.2.9.RELEASE, and older unsupported versions, applications using type-level `@RequestMapping`annotations over Feign client interfaces, can be involuntarily exposing endpoints corresponding to `@RequestMapping`-annotated interface methods. En Spring Cloud OpenFeign versiones 3.0.0 a 3.0.4, 2.2.0.RELEASE a 2.2.9.RELEASE, y versiones anteriores no soportadas, las aplicaciones que usan anotaciones de "@RequestMapping" a nivel de tipo sobre las interfac... • https://tanzu.vmware.com/security/cve-2021-22044 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 7.5EPSS: 7%CPEs: 5EXPL: 1CVE-2021-22119 – spring-security: Denial-of-Service (DoS) attack via initiation of Authorization Request
https://notcve.org/view.php?id=CVE-2021-22119
29 Jun 2021 — Spring Security versions 5.5.x prior to 5.5.1, 5.4.x prior to 5.4.7, 5.3.x prior to 5.3.10 and 5.2.x prior to 5.2.11 are susceptible to a Denial-of-Service (DoS) attack via the initiation of the Authorization Request in an OAuth 2.0 Client Web and WebFlux application. A malicious user or attacker can send multiple requests initiating the Authorization Request for the Authorization Code Grant, which has the potential of exhausting system resources using a single session or multiple sessions. Spring Security ... • https://github.com/mari6274/oauth-client-exploit • CWE-400: Uncontrolled Resource Consumption CWE-863: Incorrect Authorization •
CVSS: 7.8EPSS: 0%CPEs: 49EXPL: 0CVE-2021-22118 – spring-web: (re)creating the temporary storage directory could result in a privilege escalation within WebFlux application
https://notcve.org/view.php?id=CVE-2021-22118
27 May 2021 — In Spring Framework, versions 5.2.x prior to 5.2.15 and versions 5.3.x prior to 5.3.7, a WebFlux application is vulnerable to a privilege escalation: by (re)creating the temporary storage directory, a locally authenticated malicious user can read or modify files that have been uploaded to the WebFlux application, or overwrite arbitrary files with multipart request data. En Spring Framework, versiones 5.2.x anteriores a 5.2.15 y versiones 5.3.x anteriores a 5.3.7, una aplicación WebFlux es vulnerable a una e... • https://security.netapp.com/advisory/ntap-20210713-0005 • CWE-269: Improper Privilege Management CWE-281: Improper Preservation of Permissions CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 9.8EPSS: 2%CPEs: 4EXPL: 0CVE-2021-26987
https://notcve.org/view.php?id=CVE-2021-26987
15 Mar 2021 — Element Plug-in for vCenter Server incorporates SpringBoot Framework. SpringBoot Framework versions prior to 1.3.2 are susceptible to a vulnerability which when successfully exploited could lead to Remote Code Execution. All versions of Element Plug-in for vCenter Server, Management Services versions prior to 2.17.56 and Management Node versions through 12.2 contain vulnerable versions of SpringBoot Framework. Element Plug-in para vCenter Server incorpora SpringBoot Framework. Las versiones de SpringBo... • https://security.netapp.com/advisory/ntap-20210315-0001 •