Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS12cHIzLWY1OTQtbWc1Z84AAcrl
Improper Control of Generation of Code ('Code Injection') in Spring Framework
SpringSource Spring Framework 2.5.x before 2.5.6.SEC02, 2.5.7 before 2.5.7.SR01, and 3.0.x before 3.0.3 allows remote attackers to execute arbitrary code via an HTTP request containing class.classLoader.URLs[0]=jar:
followed by a URL of a crafted .jar file.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12cHIzLWY1OTQtbWc1Z84AAcrl
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 2 years ago
Updated: 6 months ago
Identifiers: GHSA-vpr3-f594-mg5g, CVE-2010-1622
References:
- https://nvd.nist.gov/vuln/detail/CVE-2010-1622
- http://geronimo.apache.org/2010/07/21/apache-geronimo-v216-released.html
- http://geronimo.apache.org/21x-security-report.html
- http://geronimo.apache.org/22x-security-report.html
- http://www.exploit-db.com/exploits/13918
- http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html
- https://seclists.org/fulldisclosure/2010/Jun/456
- https://access.redhat.com/errata/RHSA-2011:0175
- https://access.redhat.com/security/cve/CVE-2010-1622
- https://bugzilla.redhat.com/show_bug.cgi?id=606706
- https://web.archive.org/web/20100623011648/http://www.springsource.com/security/cve-2010-1622
- https://web.archive.org/web/20161014113129/http://www.securitytracker.com/id/1033898
- https://web.archive.org/web/20200227210033/http://www.securityfocus.com/archive/1/511877
- https://web.archive.org/web/20200228060816/http://www.securityfocus.com/bid/40954
- http://www.redhat.com/support/errata/RHSA-2011-0175.html
- https://github.com/spring-projects/spring-framework/commit/3a5af35d37c79d0644d49b93f792a4c18fe8eb71
- https://github.com/advisories/GHSA-vpr3-f594-mg5g
Blast Radius: 0.0
Affected Packages
maven:org.springframework:spring
Dependent packages: 568Dependent repositories: 7,786
Downloads:
Affected Version Ranges: >= 3.0.0, <= 3.0.2, >= 2.5.0, <= 2.5.6
Fixed in: 3.0.3, 2.5.7
All affected versions: 2.5.1, 2.5.2, 2.5.3, 2.5.4, 2.5.5, 2.5.6
All unaffected versions: 1.0.1, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.6, 1.2.7, 1.2.8, 1.2.9, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 5.3.0, 5.3.1, 5.3.2, 5.3.3, 5.3.4, 5.3.5, 5.3.6, 5.3.7, 5.3.8, 5.3.9, 5.3.10, 5.3.11, 5.3.12, 5.3.13, 5.3.14, 5.3.15, 5.3.16, 5.3.17, 5.3.18, 5.3.19, 5.3.20, 5.3.21, 5.3.22, 5.3.23, 5.3.24, 5.3.25, 5.3.26, 5.3.27, 5.3.28, 5.3.29, 5.3.30, 5.3.31, 5.3.32, 5.3.33, 5.3.34, 5.3.35, 5.3.36, 5.3.37, 5.3.38, 5.3.39