Advisories for Maven/Org.springframework/Spring-Webflux package

Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running. Specifically, an application is vulnerable when both of the following are true: the web application uses RouterFunctions to serve static resources resource handling …

Users running Spring MVC and Spring WebFlux applications running on JDK 9+ are vulnerable to Remote Code Execution attacks.

Spring Framework WebFlux applications are vulnerable to a privilege escalation. By (re)creating the temporary storage directory, a locally authenticated malicious user can read or modify files that have been uploaded to the WebFlux application, or overwrite arbitrary files with multipart request data.

In Spring Framework the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.

In Spring Framework, an application is vulnerable to a reflected file download (RFD) attack when it sets a Content-Disposition header in the response where the filename attribute is derived from user supplied input.

Spring Framework is vulnerable to CSRF attacks through CORS preflight requests that target Spring MVC (spring-webmvc module) or Spring WebFlux (spring-webflux module) endpoints.

Spring Framework provides support for range requests when serving static resources through the ResourceHttpRequestHandler. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, for a denial of service attack.

When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead …