The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Spring Framework

vulnerability bulletin CVE-2017-8046

Pivotal Spring: code execution via PATCH Requests

Synthesis of the vulnerability

An attacker can use a vulnerability via PATCH Requests of Pivotal Spring, in order to run code.
Impacted products: Spring Framework.
Severity: 2/4.
Consequences: privileged access/rights, user access/rights.
Provenance: document.
Creation date: 28/11/2017.
Identifiers: CERTFR-2018-AVI-111, CVE-2017-8046, VIGILANCE-VUL-24553.

Description of the vulnerability

An attacker can use a vulnerability via PATCH Requests of Pivotal Spring, in order to run code.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2017-8045

Pivotal Spring AMQP: code execution via Message

Synthesis of the vulnerability

An attacker can use a vulnerability via Message of Pivotal Spring AMQP, in order to run code.
Impacted products: Spring Framework.
Severity: 2/4.
Consequences: privileged access/rights, user access/rights.
Provenance: document.
Creation date: 28/11/2017.
Identifiers: CVE-2017-8045, VIGILANCE-VUL-24552.

Description of the vulnerability

An attacker can use a vulnerability via Message of Pivotal Spring AMQP, in order to run code.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2017-8039

Pivotal Spring Web Flow: information disclosure

Synthesis of the vulnerability

An attacker can bypass access restrictions to data of Pivotal Spring Web Flow, in order to obtain sensitive information.
Impacted products: Spring Framework.
Severity: 2/4.
Consequences: data reading.
Provenance: document.
Creation date: 28/11/2017.
Identifiers: CVE-2017-8039, VIGILANCE-VUL-24551.

Description of the vulnerability

An attacker can bypass access restrictions to data of Pivotal Spring Web Flow, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2017-8040 CVE-2017-8041 CVE-2017-8044

Pivotal Single Sign-On for PCF: three vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Pivotal Single Sign-On for PCF.
Impacted products: Spring Framework.
Severity: 2/4.
Consequences: client access/rights, data reading.
Provenance: document.
Number of vulnerabilities in this bulletin: 3.
Creation date: 28/11/2017.
Identifiers: CVE-2017-8040, CVE-2017-8041, CVE-2017-8044, VIGILANCE-VUL-24550.

Description of the vulnerability

An attacker can use several vulnerabilities of Pivotal Single Sign-On for PCF.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2017-4995

Pivotal Spring Security: code execution via Jackson Configuration

Synthesis of the vulnerability

An attacker can use a vulnerability via Jackson Configuration of Pivotal Spring Security, in order to run code.
Impacted products: Spring Framework.
Severity: 2/4.
Consequences: privileged access/rights, user access/rights.
Provenance: document.
Creation date: 28/11/2017.
Identifiers: CST-7122, CST-7123, CST-7124, CST-7125, CST-7126, CST-7127, CST-7128, CST-7129, CST-7130, CST-7131, CVE-2017-4995, VIGILANCE-VUL-24549.

Description of the vulnerability

An attacker can use a vulnerability via Jackson Configuration of Pivotal Spring Security, in order to run code.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2017-8028

Spring-LDAP: privilege escalation via userSearch/STARTTLS

Synthesis of the vulnerability

An attacker can bypass restrictions via userSearch/STARTTLS of Spring-LDAP, in order to escalate his privileges.
Impacted products: Debian, Spring Framework.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: intranet client.
Creation date: 17/10/2017.
Identifiers: CST-7122, CST-7123, CST-7124, CST-7125, CST-7126, CST-7127, CST-7128, CST-7129, CST-7130, CST-7131, CVE-2017-8028, DLA-1180-1, DSA-4046-1, RHSA-2018:0319-01, VIGILANCE-VUL-24159.

Description of the vulnerability

An attacker can bypass restrictions via userSearch/STARTTLS of Spring-LDAP, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2016-9878

Spring Framework: directory traversal via ResourceServlet

Synthesis of the vulnerability

An attacker can traverse directories via ResourceServlet of Spring Framework, in order to read a file outside the service root path.
Impacted products: Fedora, QRadar SIEM, MariaDB ~ precise, MySQL Community, MySQL Enterprise, Percona Server, Spring Framework, SAS Add-in for Microsoft Office, SAS Analytics Pro, Base SAS Software, SAS Enterprise BI Server, SAS Enterprise Guide, SAS Grid Computing, SAS Management Console, SAS OLAP Server, SAS SAS/ACCESS, SAS SAS/AF, SAS SAS/CONNECT, SAS SAS/EIS, SAS SAS/ETS, SAS SAS/FSP, SAS SAS/GRAPH, SAS SAS/IML, SAS SAS/INSIGHT, SAS SAS/OR, SAS SAS/STAT, SAS SAS/Web Report Studio.
Severity: 2/4.
Consequences: data reading.
Provenance: internet client.
Creation date: 22/12/2016.
Identifiers: 1996375, 2015813, CST-7122, CST-7123, CST-7124, CST-7125, CST-7126, CST-7127, CST-7128, CST-7129, CST-7130, CST-7131, CVE-2016-9878, FEDORA-2016-f341d71730, RHSA-2017:3115-01, VIGILANCE-VUL-21453.

Description of the vulnerability

The Spring Framework product offers a web service.

However, user's data are directly inserted in an access path. Sequences such as "/.." can thus be used to go in the upper directory.

An attacker can therefore traverse directories via ResourceServlet of Spring Framework, in order to read a file outside the service root path.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2016-5007

Spring Framework: privilege escalation via configuration inconsistencies

Synthesis of the vulnerability

An attacker can access to private parts of an application created with Spring Framework, in order to get sensitive information.
Impacted products: QRadar SIEM, Spring Framework, SAS Add-in for Microsoft Office, SAS Analytics Pro, Base SAS Software, SAS Enterprise BI Server, SAS Enterprise Guide, SAS Grid Computing, SAS Management Console, SAS OLAP Server, SAS SAS/ACCESS, SAS SAS/AF, SAS SAS/CONNECT, SAS SAS/EIS, SAS SAS/ETS, SAS SAS/FSP, SAS SAS/GRAPH, SAS SAS/IML, SAS SAS/INSIGHT, SAS SAS/OR, SAS SAS/STAT, SAS SAS/Web Report Studio.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: internet client.
Creation date: 08/07/2016.
Revision date: 11/07/2016.
Identifiers: 2015813, CST-7122, CST-7123, CST-7124, CST-7125, CST-7126, CST-7127, CST-7128, CST-7129, CST-7130, CST-7131, CVE-2016-5007, VIGILANCE-VUL-20049.

Description of the vulnerability

The Spring Framework product helps to implement Web applications.

The extension module Spring Security manages access control. Spring Framework and Spring Security both use a configuration file to specify how they must handle URLs. However, there are some differences in the way these modules normalize the URL patterns. Because of this, some parts of the application that should be handled by Spring Security are directly handled by Spring Framework, which implies that access is unrestricted.

An attacker can therefore access to private parts of an application created with Spring Framework, in order to get sensitive information.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2016-2173

Spring AMQP: code execution via DefaultDeserializer

Synthesis of the vulnerability

An attacker can send a malicious message to Spring AMQP, in order to run code.
Impacted products: Fedora, Spring Framework.
Severity: 3/4.
Consequences: privileged access/rights, user access/rights.
Provenance: document.
Creation date: 12/04/2016.
Identifiers: CST-7122, CST-7123, CST-7124, CST-7125, CST-7126, CST-7127, CST-7128, CST-7129, CST-7130, CST-7131, CVE-2016-2173, FEDORA-2016-6cf17ad0df, FEDORA-2016-f099190fee, VIGILANCE-VUL-19343.

Description of the vulnerability

The Spring AMQP product uses org.springframework.core.serializer.DefaultDeserializer to unseralize data.

However, serialized data can contain an object leading to code execution.

An attacker can therefore send a malicious message to Spring AMQP, in order to run code.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2015-5258

Spring Social Core: Cross Site Request Forgery

Synthesis of the vulnerability

An attacker can trigger a Cross Site Request Forgery of Spring Social Core, in order to force the victim to perform operations.
Impacted products: Fedora, Spring Framework.
Severity: 2/4.
Consequences: user access/rights.
Provenance: internet client.
Creation date: 13/11/2015.
Identifiers: CST-7122, CST-7123, CST-7124, CST-7125, CST-7126, CST-7127, CST-7128, CST-7129, CST-7130, CST-7131, CVE-2015-5258, FEDORA-2016-4d0e6ba888, VIGILANCE-VUL-18307.

Description of the vulnerability

The Spring Social Core product offers a web service.

However, the origin of queries is not checked. They can for example originate from an image included in an HTML document.

An attacker can therefore trigger a Cross Site Request Forgery of Spring Social Core, in order to force the victim to perform operations.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Spring Framework: