GHSA-vpr3-f594-mg5g

Source

https://github.com/advisories/GHSA-vpr3-f594-mg5g

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-vpr3-f594-mg5g/GHSA-vpr3-f594-mg5g.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-vpr3-f594-mg5g

Aliases

CVE-2010-1622

Published

2022-05-17T03:28:34Z

Modified

2024-12-03T06:08:33.719330Z

Summary

Improper Control of Generation of Code ('Code Injection') in Spring Framework

Details

SpringSource Spring Framework 2.5.x before 2.5.6.SEC02, 2.5.7 before 2.5.7.SR01, and 3.0.x before 3.0.3 allows remote attackers to execute arbitrary code via an HTTP request containing class.classLoader.URLs[0]=jar: followed by a URL of a crafted .jar file.

Database specific

{
    "nvd_published_at": "2010-06-21T16:30:00Z",
    "cwe_ids": [
        "CWE-94"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-17T22:33:40Z"
}

References

Affected packages

Maven / org.springframework:spring

Package

Name: org.springframework:spring; View open source insights on deps.dev
Purl: pkg:maven/org.springframework/spring

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.5.0

Fixed

2.5.7

Affected versions

2.*

2.5

2.5.1

2.5.2

2.5.3

2.5.4

2.5.5

2.5.6

2.5.6.SEC01

2.5.6.SEC02

2.5.6.SEC03

Database specific

{
    "last_known_affected_version_range": "<= 2.5.6"
}

Maven / org.springframework:spring

Package

Name: org.springframework:spring; View open source insights on deps.dev
Purl: pkg:maven/org.springframework/spring

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.0.0

Fixed

3.0.3

Database specific

{
    "last_known_affected_version_range": "<= 3.0.2"
}