View Issue Details

IDProjectCategoryView StatusLast Update
0005857SymmetricDSBugpublic2023-05-23 12:41
Reporterelong Assigned Toelong  
Status resolvedResolutionfixed 
Product Version3.14.7 
Target Version3.15.0Fixed in Version3.15.0 
Summary0005857: Security Vulnerability in Spring Framework and h2 database
In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.
Fix available: fixed in 5.3.26

Spring Framework running version 6.0.0 - 6.0.6 or 5.3.0 - 5.3.25 using '**' as a pattern in Spring Security configuration with the mvcRequestMatcher creates a mismatch in pattern matching between Spring Security and Spring MVC, and the potential for a security bypass.
 Fix available: fixed in 5.3.26

h2 - CVE-2022-23221
H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring, a different vulnerability than CVE-2021-42392.
Fixed in 2.0.206
TagsNo tags attached.


related to 0005848 closedelong Security Vulnerbility in Spring Framework 


There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2023-05-23 12:32 elong New Issue
2023-05-23 12:32 elong Status new => assigned
2023-05-23 12:32 elong Assigned To => elong
2023-05-23 12:32 elong Issue generated from: 0005848
2023-05-23 12:32 elong Relationship added related to 0005848
2023-05-23 12:35 elong Summary Security Vulnerbility in Spring Framework, h2 and => Security Vulnerability in Spring Framework and h2 database
2023-05-23 12:35 elong Description Updated View Revisions
2023-05-23 12:41 elong Status assigned => resolved
2023-05-23 12:41 elong Resolution open => fixed
2023-05-23 12:41 elong Fixed in Version => 3.15.0