Search Results (Refine Search)
- Results Type: Overview
- Keyword (text search): spring boot
- Search Type: Search All
- CPE Name Search: false
- CPE Vendor: cpe:/:vmware
- CPE Product: cpe:/:vmware:spring_boot
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2023-34055 |
In Spring Boot versions 2.7.0 - 2.7.17, 3.0.0-3.0.12 and 3.1.0-3.1.5, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. Specifically, an application is vulnerable when all of the following are true: * the application uses Spring MVC or Spring WebFlux * org.springframework.boot:spring-boot-actuator is on the classpath Published: November 28, 2023; 4:15:07 AM -0500 |
V3.1: 6.5 MEDIUM V2.0:(not available) |
CVE-2023-20883 |
In Spring Boot versions 3.0.0 - 3.0.6, 2.7.0 - 2.7.11, 2.6.0 - 2.6.14, 2.5.0 - 2.5.14 and older unsupported versions, there is potential for a denial-of-service (DoS) attack if Spring MVC is used together with a reverse proxy cache. Published: May 26, 2023; 1:15:14 PM -0400 |
V3.1: 7.5 HIGH V2.0:(not available) |
CVE-2023-20873 |
In Spring Boot versions 3.0.0 - 3.0.5, 2.7.0 - 2.7.10, and older unsupported versions, an application that is deployed to Cloud Foundry could be susceptible to a security bypass. Users of affected versions should apply the following mitigation: 3.0.x users should upgrade to 3.0.6+. 2.7.x users should upgrade to 2.7.11+. Users of older, unsupported versions should upgrade to 3.0.6+ or 2.7.11+. Published: April 20, 2023; 5:15:08 PM -0400 |
V3.1: 9.8 CRITICAL V2.0:(not available) |
CVE-2023-22602 |
When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass. The authentication bypass occurs when Shiro and Spring Boot are using different pattern-matching techniques. Both Shiro and Spring Boot < 2.6 default to Ant style pattern matching. Mitigation: Update to Apache Shiro 1.11.0, or set the following Spring Boot configuration value: `spring.mvc.pathmatch.matching-strategy = ant_path_matcher` Published: January 14, 2023; 5:15:09 AM -0500 |
V3.1: 7.5 HIGH V2.0:(not available) |
CVE-2018-1196 |
Spring Boot supports an embedded launch script that can be used to easily run the application as a systemd or init.d linux service. The script included with Spring Boot 1.5.9 and earlier and 2.0.0.M1 through 2.0.0.M7 is susceptible to a symlink attack which allows the "run_user" to overwrite and take ownership of any file on the same system. In order to instigate the attack, the application must be installed as a service and the "run_user" requires shell access to the server. Spring Boot application that are not installed as a service, or are not using the embedded launch script are not susceptible. Published: March 19, 2018; 2:29:00 PM -0400 |
V3.0: 5.9 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2017-8046 |
Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay SR1) and Spring Boot versions prior to 1.5.9, 2.0 M6 can use specially crafted JSON data to run arbitrary Java code. Published: January 04, 2018; 1:29:00 AM -0500 |
V3.0: 9.8 CRITICAL V2.0: 7.5 HIGH |