G2H

**Name of the Vulnerable Software and Affected Versions** Spring Boot versions prior to 4.0.3 Spring Boot versions prior to 3.5.11 Spring Boot versions prior to 3.4.15 **Description** Spring Boot applications utilizing the Actuator feature may be susceptible to an authentication bypass issue. This occurs when an application endpoint requiring authentication is defined under a specific path that is already configured for an additional Health Group path. The issue allows bypassing the intended authentication mechanisms for certain endpoints. **Recommendations** Update Spring Boot to version 4.0.3 or later. Update Spring Boot to version 3.5.11 or later. Update Spring Boot to version 3.4.15 or later.

**Name of the Vulnerable Software and Affected Versions** Spring Security versions 4.0.0 through 4.0.3 Spring Security versions 3.5.0 through 3.5.11 Spring Security versions 3.4.0 through 3.4.14 Spring Security versions 3.3.0 through 3.3.17 Spring Security versions 2.7.0 through 2.7.31 **Description** Spring Boot applications utilizing Actuator may experience an authentication bypass issue when an application endpoint requiring authentication is configured under the path used by CloudFoundry Actuator endpoints. This allows unauthorized access to protected resources. **Recommendations** Spring Security versions 4.0.0 through 4.0.3 should be updated. Spring Security versions 3.5.0 through 3.5.11 should be updated. Spring Security versions 3.4.0 through 3.4.14 should be updated. Spring Security versions 3.3.0 through 3.3.17 should be updated. Spring Security versions 2.7.0 through 2.7.31 should be updated.

Name of the Vulnerable Software and Affected Versions Spring Foundation versions 5.3.0 through 5.3.46 Spring Foundation versions 6.1.0 through 6.1.25 Spring Foundation versions 6.2.0 through 6.2.16 Spring Foundation versions 7.0.0 through 7.0.5 Description Spring MVC and WebFlux applications are susceptible to stream corruption when utilizing Server-Sent Events (SSE). This issue impacts applications using Spring Foundation. Recommendations Update to a version beyond 5.3.46 Update to a version beyond 6.1.25 Update to a version beyond 6.2.16 Update to a version beyond 7.0.5

**Name of the Vulnerable Software and Affected Versions** Spring Framework versions 7.0.0 through 7.0.5 Spring Framework versions 6.2.0 through 6.2.16 Spring Framework versions 6.1.0 through 6.1.25 Spring Framework versions 5.3.0 through 5.3.46 **Description** The use of Java scripting engine enabled template views, such as JRuby or Jython, in Spring MVC and Spring WebFlux applications can lead to the disclosure of content from files located outside of the intended, configured directories for script template views. **Recommendations** Update Spring Framework to a version later than 7.0.5. Update Spring Framework to a version later than 6.2.16. Update Spring Framework to a version later than 6.1.25. Update Spring Framework to a version later than 5.3.46.