The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Spring Framework

vulnerability note CVE-2018-1274

Spring Data Commons: denial of service via Unlimited Resource Allocation

Synthesis of the vulnerability

An attacker can generate a fatal error via Unlimited Resource Allocation of Spring Data Commons, in order to trigger a denial of service.
Impacted products: Spring Framework.
Severity: 2/4.
Consequences: denial of service on service, denial of service on client.
Provenance: internet client.
Creation date: 11/04/2018.
Identifiers: CVE-2018-1274, VIGILANCE-VUL-25844.

Description of the vulnerability

An attacker can generate a fatal error via Unlimited Resource Allocation of Spring Data Commons, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2018-1275

Spring Framework: information disclosure via Multipart Content

Synthesis of the vulnerability

An attacker can bypass access restrictions to data via Multipart Content of Spring Framework, in order to obtain sensitive information.
Impacted products: Oracle Communications, Oracle Directory Services Plus, Oracle Fusion Middleware, Oracle GlassFish Server, Oracle Identity Management, Oracle Internet Directory, Tuxedo, Oracle Virtual Directory, WebLogic, Spring Framework, SAS Add-in for Microsoft Office, SAS Analytics Pro, Base SAS Software, SAS Enterprise BI Server, SAS Enterprise Guide, SAS Grid Computing, SAS Management Console, SAS OLAP Server, SAS SAS/ACCESS, SAS SAS/AF, SAS SAS/CONNECT, SAS SAS/EIS, SAS SAS/ETS, SAS SAS/FSP, SAS SAS/GRAPH, SAS SAS/IML, SAS SAS/INSIGHT, SAS SAS/OR, SAS SAS/STAT, SAS SAS/Web Report Studio.
Severity: 2/4.
Consequences: data reading.
Provenance: intranet client.
Creation date: 10/04/2018.
Identifiers: cpujan2019, cpujul2018, cpujul2019, cpuoct2018, CVE-2018-1275, VIGILANCE-VUL-25828.

Description of the vulnerability

An attacker can bypass access restrictions to data via Multipart Content of Spring Framework, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2018-1272

Spring Framework: information disclosure via Multipart Content

Synthesis of the vulnerability

An attacker can bypass access restrictions to data via Multipart Content of Spring Framework, in order to obtain sensitive information.
Impacted products: Oracle Communications, Oracle Directory Services Plus, Oracle Fusion Middleware, Oracle GlassFish Server, Oracle Identity Management, Oracle Internet Directory, Tuxedo, Oracle Virtual Directory, WebLogic, Spring Framework, SAS Add-in for Microsoft Office, SAS Analytics Pro, Base SAS Software, SAS Enterprise BI Server, SAS Enterprise Guide, SAS Grid Computing, SAS Management Console, SAS OLAP Server, SAS SAS/ACCESS, SAS SAS/AF, SAS SAS/CONNECT, SAS SAS/EIS, SAS SAS/ETS, SAS SAS/FSP, SAS SAS/GRAPH, SAS SAS/IML, SAS SAS/INSIGHT, SAS SAS/OR, SAS SAS/STAT, SAS SAS/Web Report Studio.
Severity: 2/4.
Consequences: data reading.
Provenance: intranet client.
Creation date: 06/04/2018.
Identifiers: cpujan2019, cpujul2018, cpujul2019, cpuoct2018, CVE-2018-1272, RHSA-2018:2669-01, VIGILANCE-VUL-25785.

Description of the vulnerability

An attacker can bypass access restrictions to data via Multipart Content of Spring Framework, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2018-1271

Spring Framework: directory traversal via Spring MVC

Synthesis of the vulnerability

An attacker can traverse directories via Spring MVC of Spring Framework, in order to read a file outside the service root path.
Impacted products: Oracle Communications, Oracle Directory Services Plus, Oracle Fusion Middleware, Oracle GlassFish Server, Oracle Identity Management, Oracle Internet Directory, Tuxedo, Oracle Virtual Directory, WebLogic, Spring Framework, SAS Add-in for Microsoft Office, SAS Analytics Pro, Base SAS Software, SAS Enterprise BI Server, SAS Enterprise Guide, SAS Grid Computing, SAS Management Console, SAS OLAP Server, SAS SAS/ACCESS, SAS SAS/AF, SAS SAS/CONNECT, SAS SAS/EIS, SAS SAS/ETS, SAS SAS/FSP, SAS SAS/GRAPH, SAS SAS/IML, SAS SAS/INSIGHT, SAS SAS/OR, SAS SAS/STAT, SAS SAS/Web Report Studio.
Severity: 2/4.
Consequences: data reading.
Provenance: internet client.
Creation date: 06/04/2018.
Identifiers: cpujan2019, cpujul2018, cpujul2019, cpuoct2018, CVE-2018-1271, RHSA-2018:2669-01, VIGILANCE-VUL-25784.

Description of the vulnerability

An attacker can traverse directories via Spring MVC of Spring Framework, in order to read a file outside the service root path.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2018-1270

Spring Framework: code execution via spring-messaging

Synthesis of the vulnerability

An attacker can use a vulnerability via spring-messaging of Spring Framework, in order to run code.
Impacted products: Oracle Communications, Oracle Directory Services Plus, Oracle Fusion Middleware, Oracle GlassFish Server, Oracle Identity Management, Oracle Internet Directory, Tuxedo, Oracle Virtual Directory, WebLogic, Spring Framework, SAS Add-in for Microsoft Office, SAS Analytics Pro, Base SAS Software, SAS Enterprise BI Server, SAS Enterprise Guide, SAS Grid Computing, SAS Management Console, SAS OLAP Server, SAS SAS/ACCESS, SAS SAS/AF, SAS SAS/CONNECT, SAS SAS/EIS, SAS SAS/ETS, SAS SAS/FSP, SAS SAS/GRAPH, SAS SAS/IML, SAS SAS/INSIGHT, SAS SAS/OR, SAS SAS/STAT, SAS SAS/Web Report Studio.
Severity: 3/4.
Consequences: user access/rights.
Provenance: intranet client.
Creation date: 06/04/2018.
Identifiers: cpujan2019, cpujul2018, cpujul2019, cpuoct2018, CVE-2018-1270, VIGILANCE-VUL-25783.

Description of the vulnerability

An attacker can use a vulnerability via spring-messaging of Spring Framework, in order to run code.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2018-1230

Spring Batch Admin: Cross Site Request Forgery

Synthesis of the vulnerability

An attacker can trigger a Cross Site Request Forgery of Spring Batch Admin, in order to force the victim to perform operations.
Impacted products: Spring Framework.
Severity: 2/4.
Consequences: user access/rights.
Provenance: internet client.
Creation date: 20/03/2018.
Identifiers: CVE-2018-1230, VIGILANCE-VUL-25605.

Description of the vulnerability

The Spring Batch Admin product offers a web service.

However, the origin of queries is not checked. They can for example originate from an image included in an HTML document.

An attacker can therefore trigger a Cross Site Request Forgery of Spring Batch Admin, in order to force the victim to perform operations.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2018-1229

Spring Batch Admin: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of Spring Batch Admin, in order to run JavaScript code in the context of the web site.
Impacted products: Spring Framework.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 20/03/2018.
Identifiers: CVE-2018-1229, VIGILANCE-VUL-25604.

Description of the vulnerability

The Spring Batch Admin product offers a web service.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of Spring Batch Admin, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2018-1199

Spring Framework: privilege escalation via the request parameters

Synthesis of the vulnerability

An attacker can submit an URL to Spring Framework using a special encoding of the request parameters, in order to bypass request screening.
Impacted products: Spring Framework.
Severity: 2/4.
Consequences: privileged access/rights.
Provenance: internet client.
Creation date: 30/01/2018.
Identifiers: CVE-2018-1199, VIGILANCE-VUL-25178.

Description of the vulnerability

An attacker can submit an URL to Spring Framework using a special encoding of the request parameters, in order to bypass request screening.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2017-8046

Pivotal Spring: code execution via PATCH Requests

Synthesis of the vulnerability

An attacker can use a vulnerability via PATCH Requests of Pivotal Spring, in order to run code.
Impacted products: Spring Framework.
Severity: 2/4.
Consequences: privileged access/rights, user access/rights.
Provenance: document.
Creation date: 28/11/2017.
Identifiers: CERTFR-2018-AVI-111, CVE-2017-8046, VIGILANCE-VUL-24553.

Description of the vulnerability

An attacker can use a vulnerability via PATCH Requests of Pivotal Spring, in order to run code.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2017-8045

Pivotal Spring AMQP: code execution via Message

Synthesis of the vulnerability

An attacker can use a vulnerability via Message of Pivotal Spring AMQP, in order to run code.
Impacted products: Spring Framework.
Severity: 2/4.
Consequences: privileged access/rights, user access/rights.
Provenance: document.
Creation date: 28/11/2017.
Identifiers: CVE-2017-8045, VIGILANCE-VUL-24552.

Description of the vulnerability

An attacker can use a vulnerability via Message of Pivotal Spring AMQP, in order to run code.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Spring Framework: