CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-22223
https://notcve.org/view.php?id=CVE-2025-22223
24 Mar 2025 — Spring Security 6.4.0 - 6.4.3 may not correctly locate method security annotations on parameterized types or methods. This may cause an authorization bypass. You are not affected if you are not using @EnableMethodSecurity, or you do not have method security annotations on parameterized types or methods, or all method security annotations are attached to target methods Spring Security 6.4.0 - 6.4.3 may not correctly locate method security annotations on parameterized types or methods. This may cause an autho... • https://spring.io/security/cve-2025-22223 • CWE-290: Authentication Bypass by Spoofing •
CVSS: 7.4EPSS: 0%CPEs: 1EXPL: 0CVE-2025-22228 – CVE-2025-22228: Spring Security BCryptPasswordEncoder does not enforce maximum password length
https://notcve.org/view.php?id=CVE-2025-22228
20 Mar 2025 — BCryptPasswordEncoder.matches(CharSequence,String) will incorrectly return true for passwords larger than 72 characters as long as the first 72 characters are the same. BCryptPasswordEncoder.matches(CharSequence,String) will incorrectly return true for passwords larger than 72 characters as long as the first 72 characters are the same. • https://spring.io/security/cve-2025-22228 • CWE-287: Improper Authentication •
CVSS: 3.7EPSS: 0%CPEs: 5EXPL: 0CVE-2024-38829 – Spring LDAP sensitive data exposure for case-sensitive comparisons
https://notcve.org/view.php?id=CVE-2024-38829
04 Dec 2024 — A vulnerability in VMware Tanzu Spring LDAP allows data exposure for case sensitive comparisons.This issue affects Spring LDAP: from 2.4.0 through 2.4.3, from 3.0.0 through 3.0.9, from 3.1.0 through 3.1.7, from 3.2.0 through 3.2.7, AND all versions prior to 2.4.0. The usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in unintended columns from being queried Related to CVE-2024-38820 https://spring.io/security/cve-2024-38820 Una vulnerab... • https://spring.io/security/cve-2024-38829 • CWE-178: Improper Handling of Case Sensitivity •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2024-38828 – CVE-2024-38828: DoS via Spring MVC controller method with byte[] parameter
https://notcve.org/view.php?id=CVE-2024-38828
18 Nov 2024 — Spring MVC controller methods with an @RequestBody byte[] method parameter are vulnerable to a DoS attack. Spring MVC controller methods with an @RequestBody byte[] method parameter are vulnerable to a DoS attack. • https://spring.io/security/cve-2024-38828 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 9.4EPSS: 24%CPEs: 2EXPL: 3CVE-2024-38821 – Authorization Bypass of Static Resources in WebFlux Applications
https://notcve.org/view.php?id=CVE-2024-38821
28 Oct 2024 — Spring WebFlux applications that have Spring Security authorization rules on static resources can be bypassed under certain circumstances. For this to impact an application, all of the following must be true: * It must be a WebFlux application * It must be using Spring's static resources support * It must have a non-permitAll authorization rule applied to the static resources support • https://github.com/zetraxz/CVE-2024-38821 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 9.4EPSS: 87%CPEs: 2EXPL: 5CVE-2024-38816 – CVE-2024-38816: Path traversal vulnerability in functional web frameworks
https://notcve.org/view.php?id=CVE-2024-38816
13 Sep 2024 — Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running. Specifically, an application is vulnerable when both of the following are true: * the web application uses RouterFunctions to serve static resources * resource handling is explicitly configured with a F... • https://github.com/masa42/CVE-2024-38816-PoC • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-38807 – CVE-2024-38807: Signature Forgery Vulnerability in Spring Boot's Loader
https://notcve.org/view.php?id=CVE-2024-38807
23 Aug 2024 — Applications that use spring-boot-loader or spring-boot-loader-classic and contain custom code that performs signature verification of nested jar files may be vulnerable to signature forgery where content that appears to have been signed by one signer has, in fact, been signed by another. Applications that use spring-boot-loader or spring-boot-loader-classic and contain custom code that performs signature verification of nested jar files may be vulnerable to signature forgery where content that appears to h... • https://spring.io/security/cve-2024-38807 • CWE-290: Authentication Bypass by Spoofing CWE-347: Improper Verification of Cryptographic Signature •
CVSS: 8.8EPSS: 68%CPEs: 1EXPL: 1CVE-2024-22263 – Arbitrary File Write Vulnerability in Spring Cloud Data Flow
https://notcve.org/view.php?id=CVE-2024-22263
19 Jun 2024 — Spring Cloud Data Flow is a microservices-based Streaming and Batch data processing in Cloud Foundry and Kubernetes. The Skipper server has the ability to receive upload package requests. However, due to improper sanitization for upload path, a malicious user who has access to skipper server api can use a crafted upload request to write arbitrary file to any location on file system, may even compromises the server. Spring Cloud Data Flow es un procesamiento de datos por lotes y streaming basado en microserv... • https://github.com/securelayer7/CVE-2024-22263_Scanner • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-29986
https://notcve.org/view.php?id=CVE-2023-29986
11 May 2023 — spring-boot-actuator-logview 0.2.13 allows Directory Traversal to sibling directories via LogViewEndpoint.view. • https://github.com/lukashinsch/spring-boot-actuator-logview/issues/33 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2020-19704
https://notcve.org/view.php?id=CVE-2020-19704
26 Aug 2021 — A stored cross-site scripting (XSS) vulnerability via ResourceController.java in spring-boot-admin as of 20190710 allows attackers to execute arbitrary web scripts or HTML. Una vulnerabilidad de tipo cross-site scripting (XSS) almacenado por medio del archivo ResourceController.java en el parámetro spring-boot-admin a partir de 20190710, permite a atacantes ejecutar scripts web o HTML arbitrarios. • https://github.com/sail-y/spring-boot-admin/issues/7 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •