Find, fix and prevent vulnerabilities in your code.
high severity
new
- Vulnerable module: org.springframework:spring-core
- Introduced through: org.springframework:spring-core@5.3.39 and org.springframework:spring-context@5.3.39
Detailed paths
-
Introduced through: oswaldobapvicjr/agents@oswaldobapvicjr/agents#37b7998214e6f8dc757d65f3d17e1b8e6702edce › org.springframework:spring-core@5.3.39Remediation: Upgrade to org.springframework:spring-core@6.2.11.
-
Introduced through: oswaldobapvicjr/agents@oswaldobapvicjr/agents#37b7998214e6f8dc757d65f3d17e1b8e6702edce › org.springframework:spring-context@5.3.39 › org.springframework:spring-core@5.3.39Remediation: Upgrade to org.springframework:spring-context@6.2.11.
-
Introduced through: oswaldobapvicjr/agents@oswaldobapvicjr/agents#37b7998214e6f8dc757d65f3d17e1b8e6702edce › org.springframework:spring-context@5.3.39 › org.springframework:spring-beans@5.3.39 › org.springframework:spring-core@5.3.39Remediation: Upgrade to org.springframework:spring-context@6.2.11.
-
Introduced through: oswaldobapvicjr/agents@oswaldobapvicjr/agents#37b7998214e6f8dc757d65f3d17e1b8e6702edce › org.springframework:spring-context@5.3.39 › org.springframework:spring-aop@5.3.39 › org.springframework:spring-core@5.3.39Remediation: Upgrade to org.springframework:spring-context@6.2.11.
-
Introduced through: oswaldobapvicjr/agents@oswaldobapvicjr/agents#37b7998214e6f8dc757d65f3d17e1b8e6702edce › org.springframework:spring-context@5.3.39 › org.springframework:spring-expression@5.3.39 › org.springframework:spring-core@5.3.39Remediation: Upgrade to org.springframework:spring-context@6.2.11.
-
Introduced through: oswaldobapvicjr/agents@oswaldobapvicjr/agents#37b7998214e6f8dc757d65f3d17e1b8e6702edce › org.springframework:spring-context@5.3.39 › org.springframework:spring-aop@5.3.39 › org.springframework:spring-beans@5.3.39 › org.springframework:spring-core@5.3.39Remediation: Upgrade to org.springframework:spring-context@6.2.11.
Overview
org.springframework:spring-core is a core package within the spring-framework that contains multiple classes and utilities.
Affected versions of this package are vulnerable to Incorrect Authorization via the AnnotationsScanner and AnnotatedMethod class. An attacker can gain unauthorized access to sensitive information by exploiting improper resolution of annotations on methods within type hierarchies that use parameterized supertypes with unbounded generics.
Note:
This is only exploitable if security annotations are used on methods in generic superclasses or generic interfaces and the @EnableMethodSecurity feature is enabled.
Remediation
Upgrade org.springframework:spring-core to version 6.2.11 or higher.
References
high severity
- Vulnerable module: org.springframework:spring-beans
- Introduced through: org.springframework:spring-context@5.3.39
Detailed paths
-
Introduced through: oswaldobapvicjr/agents@oswaldobapvicjr/agents#37b7998214e6f8dc757d65f3d17e1b8e6702edce › org.springframework:spring-context@5.3.39 › org.springframework:spring-beans@5.3.39Remediation: Upgrade to org.springframework:spring-context@6.2.10.
-
Introduced through: oswaldobapvicjr/agents@oswaldobapvicjr/agents#37b7998214e6f8dc757d65f3d17e1b8e6702edce › org.springframework:spring-context@5.3.39 › org.springframework:spring-aop@5.3.39 › org.springframework:spring-beans@5.3.39Remediation: Upgrade to org.springframework:spring-context@6.2.10.
Overview
org.springframework:spring-beans is a package that is the basis for Spring Framework's IoC container. The BeanFactory interface provides an advanced configuration mechanism capable of managing any type of object.
Affected versions of this package are vulnerable to Relative Path Traversal when deployed on non-compliant Servlet containers. An unauthenticated attacker could gain access to files and directories outside the intended web root.
Notes:
This is only exploitable if the application is deployed as a WAR or with an embedded Servlet container, the Servlet container does not reject suspicious sequences and the application serves static resources with Spring resource handling.
Applications deployed on Apache Tomcat or Eclipse Jetty are not vulnerable, as long as default security features are not disabled in the configuration.
This vulnerability was also fixed in the commercial versions 6.1.22 and 5.3.44.
Remediation
Upgrade org.springframework:spring-beans to version 6.2.10 or higher.
References
low severity
- Vulnerable module: org.springframework:spring-context
- Introduced through: org.springframework:spring-context@5.3.39
Detailed paths
-
Introduced through: oswaldobapvicjr/agents@oswaldobapvicjr/agents#37b7998214e6f8dc757d65f3d17e1b8e6702edce › org.springframework:spring-context@5.3.39Remediation: Upgrade to org.springframework:spring-context@6.1.14.
Overview
Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity due to String.toLowerCase() having some Locale dependent exceptions that could potentially result in fields not protected as expected.
Note:
The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive.
This vulnerability was also fixed in commercial versions 5.3.41 and 6.0.25.
Remediation
Upgrade org.springframework:spring-context to version 6.1.14 or higher.
References
low severity
- Vulnerable module: org.springframework:spring-core
- Introduced through: org.springframework:spring-core@5.3.39 and org.springframework:spring-context@5.3.39
Detailed paths
-
Introduced through: oswaldobapvicjr/agents@oswaldobapvicjr/agents#37b7998214e6f8dc757d65f3d17e1b8e6702edce › org.springframework:spring-core@5.3.39Remediation: Upgrade to org.springframework:spring-core@6.1.14.
-
Introduced through: oswaldobapvicjr/agents@oswaldobapvicjr/agents#37b7998214e6f8dc757d65f3d17e1b8e6702edce › org.springframework:spring-context@5.3.39 › org.springframework:spring-core@5.3.39Remediation: Upgrade to org.springframework:spring-context@6.1.14.
-
Introduced through: oswaldobapvicjr/agents@oswaldobapvicjr/agents#37b7998214e6f8dc757d65f3d17e1b8e6702edce › org.springframework:spring-context@5.3.39 › org.springframework:spring-beans@5.3.39 › org.springframework:spring-core@5.3.39Remediation: Upgrade to org.springframework:spring-context@6.1.14.
-
Introduced through: oswaldobapvicjr/agents@oswaldobapvicjr/agents#37b7998214e6f8dc757d65f3d17e1b8e6702edce › org.springframework:spring-context@5.3.39 › org.springframework:spring-aop@5.3.39 › org.springframework:spring-core@5.3.39Remediation: Upgrade to org.springframework:spring-context@6.1.14.
-
Introduced through: oswaldobapvicjr/agents@oswaldobapvicjr/agents#37b7998214e6f8dc757d65f3d17e1b8e6702edce › org.springframework:spring-context@5.3.39 › org.springframework:spring-expression@5.3.39 › org.springframework:spring-core@5.3.39Remediation: Upgrade to org.springframework:spring-context@6.1.14.
-
Introduced through: oswaldobapvicjr/agents@oswaldobapvicjr/agents#37b7998214e6f8dc757d65f3d17e1b8e6702edce › org.springframework:spring-context@5.3.39 › org.springframework:spring-aop@5.3.39 › org.springframework:spring-beans@5.3.39 › org.springframework:spring-core@5.3.39Remediation: Upgrade to org.springframework:spring-context@6.1.14.
Overview
org.springframework:spring-core is a core package within the spring-framework that contains multiple classes and utilities.
Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity due to String.toLowerCase() having some Locale dependent exceptions that could potentially result in fields not protected as expected.
Note:
The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive.
This vulnerability was also fixed in commercial versions 5.3.41 and 6.0.25.
Remediation
Upgrade org.springframework:spring-core to version 6.1.14 or higher.