Advisories for Maven/Org.springframework.boot/Spring-Boot package

EndpointRequest.to() creates a matcher for null/** if the actuator endpoint, for which the EndpointRequest has been created, is disabled or not exposed. Your application may be affected by this if all the following conditions are met: You use Spring Security EndpointRequest.to() has been used in a Spring Security chain configuration The endpoint which EndpointRequest references is disabled or not exposed via web Your application handles requests to /null and this …

In Spring Boot versions 2.7.0 - 2.7.17, 3.0.0-3.0.12 and 3.1.0-3.1.5, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. Specifically, an application is vulnerable when all of the following are true: the application uses Spring MVC or Spring WebFlux org.springframework.boot:spring-boot-actuator is on the classpath

Users running Spring MVC and Spring WebFlux applications running on JDK 9+ are vulnerable to Remote Code Execution attacks.

spring-boot versions prior to version v2.2.11.RELEASE was vulnerable to temporary directory hijacking. This vulnerability impacted the org.springframework.boot.web.server.AbstractConfigurableWebServerFactory.createTempDir method. NOTE: This vulnerability only affects products and/or versions that are no longer supported by the maintainer.

SpringBoot Framework is susceptible to a vulnerability which when successfully exploited could lead to Remote Code Execution. All versions of Element Plug-in for vCenter Server, Management Services and Management Node contain vulnerable versions of SpringBoot Framework.

Spring Boot supports an embedded launch script that can be used to easily run the application as a systemd or init.d linux service. The script included with Spring Boot is susceptible to a symlink attack which allows the run_user to overwrite and take ownership of any file on the same system. In order to instigate the attack, the application must be installed as a service and the run_user requires shell …

Malicious PATCH requests submitted to servers using Spring Data REST backed HTTP resources can use specially crafted JSON data to run arbitrary Java code.