Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS12cHIzLWY1OTQtbWc1Z84AAcrl

Improper Control of Generation of Code ('Code Injection') in Spring Framework

SpringSource Spring Framework 2.5.x before 2.5.6.SEC02, 2.5.7 before 2.5.7.SR01, and 3.0.x before 3.0.3 allows remote attackers to execute arbitrary code via an HTTP request containing class.classLoader.URLs[0]=jar: followed by a URL of a crafted .jar file.

Permalink: https://github.com/advisories/GHSA-vpr3-f594-mg5g
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12cHIzLWY1OTQtbWc1Z84AAcrl
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: about 1 month ago


Identifiers: GHSA-vpr3-f594-mg5g, CVE-2010-1622
References: Repository: https://github.com/spring-projects/spring-framework
Blast Radius: 0.0

Affected Packages

maven:org.springframework:spring
Dependent packages: 568
Dependent repositories: 7,786
Downloads:
Affected Version Ranges: >= 3.0.0, <= 3.0.2, >= 2.5.0, <= 2.5.6
Fixed in: 3.0.3, 2.5.7
All affected versions: 2.5.1, 2.5.2, 2.5.3, 2.5.4, 2.5.5, 2.5.6
All unaffected versions: 1.0.1, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.6, 1.2.7, 1.2.8, 1.2.9, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 5.3.0, 5.3.1, 5.3.2, 5.3.3, 5.3.4, 5.3.5, 5.3.6, 5.3.7, 5.3.8, 5.3.9, 5.3.10, 5.3.11, 5.3.12, 5.3.13, 5.3.14, 5.3.15, 5.3.16, 5.3.17, 5.3.18, 5.3.19, 5.3.20, 5.3.21, 5.3.22, 5.3.23, 5.3.24, 5.3.25, 5.3.26, 5.3.27, 5.3.28, 5.3.29, 5.3.30, 5.3.31, 5.3.32, 5.3.33, 5.3.34