Vulnerabilities (CVE)

Filtered by vendor Vmware Subscribe
Filtered by product Spring Boot
Total 9 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-26987 2 Netapp, Vmware 4 Element Plug-in For Vcenter Server, Management Services For Element Software And Netapp Hci, Solidfire \& Hci Management Node and 1 more 2024-11-21 7.5 HIGH 9.8 CRITICAL
Element Plug-in for vCenter Server incorporates SpringBoot Framework. SpringBoot Framework versions prior to 1.3.2 are susceptible to a vulnerability which when successfully exploited could lead to Remote Code Execution. All versions of Element Plug-in for vCenter Server, Management Services versions prior to 2.17.56 and Management Node versions through 12.2 contain vulnerable versions of SpringBoot Framework.
CVE-2018-1196 1 Vmware 1 Spring Boot 2024-11-21 4.3 MEDIUM 5.9 MEDIUM
Spring Boot supports an embedded launch script that can be used to easily run the application as a systemd or init.d linux service. The script included with Spring Boot 1.5.9 and earlier and 2.0.0.M1 through 2.0.0.M7 is susceptible to a symlink attack which allows the "run_user" to overwrite and take ownership of any file on the same system. In order to instigate the attack, the application must be installed as a service and the "run_user" requires shell access to the server. Spring Boot application that are not installed as a service, or are not using the embedded launch script are not susceptible.
CVE-2017-8046 2 Pivotal Software, Vmware 2 Spring Data Rest, Spring Boot 2024-11-21 7.5 HIGH 9.8 CRITICAL
Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay SR1) and Spring Boot versions prior to 1.5.9, 2.0 M6 can use specially crafted JSON data to run arbitrary Java code.
CVE-2023-44794 2 Dromara, Vmware 3 Sa-token, Spring Boot, Spring Framework 2024-09-12 N/A 9.8 CRITICAL
An issue in Dromara SaToken version 1.36.0 and before allows a remote attacker to escalate privileges via a crafted payload to the URL.
CVE-2022-27772 1 Vmware 1 Spring Boot 2024-08-03 4.6 MEDIUM 7.8 HIGH
spring-boot versions prior to version v2.2.11.RELEASE was vulnerable to temporary directory hijacking. This vulnerability impacted the org.springframework.boot.web.server.AbstractConfigurableWebServerFactory.createTempDir method. NOTE: This vulnerability only affects products and/or versions that are no longer supported by the maintainer
CVE-2023-34055 1 Vmware 1 Spring Boot 2024-02-28 N/A 6.5 MEDIUM
In Spring Boot versions 2.7.0 - 2.7.17, 3.0.0-3.0.12 and 3.1.0-3.1.5, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. Specifically, an application is vulnerable when all of the following are true: * the application uses Spring MVC or Spring WebFlux * org.springframework.boot:spring-boot-actuator is on the classpath
CVE-2023-20873 1 Vmware 1 Spring Boot 2024-02-28 N/A 9.8 CRITICAL
In Spring Boot versions 3.0.0 - 3.0.5, 2.7.0 - 2.7.10, and older unsupported versions, an application that is deployed to Cloud Foundry could be susceptible to a security bypass. Users of affected versions should apply the following mitigation: 3.0.x users should upgrade to 3.0.6+. 2.7.x users should upgrade to 2.7.11+. Users of older, unsupported versions should upgrade to 3.0.6+ or 2.7.11+.
CVE-2023-20883 1 Vmware 1 Spring Boot 2024-02-28 N/A 7.5 HIGH
In Spring Boot versions 3.0.0 - 3.0.6, 2.7.0 - 2.7.11, 2.6.0 - 2.6.14, 2.5.0 - 2.5.14 and older unsupported versions, there is potential for a denial-of-service (DoS) attack if Spring MVC is used together with a reverse proxy cache.
CVE-2023-22602 2 Apache, Vmware 2 Shiro, Spring Boot 2024-02-28 N/A 7.5 HIGH
When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass. The authentication bypass occurs when Shiro and Spring Boot are using different pattern-matching techniques. Both Shiro and Spring Boot < 2.6 default to Ant style pattern matching. Mitigation: Update to Apache Shiro 1.11.0, or set the following Spring Boot configuration value: `spring.mvc.pathmatch.matching-strategy = ant_path_matcher`