VMware Spring
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in VMware Spring.
Recent VMware Spring Security Advisories
| Advisory | Title | Published |
|---|---|---|
| 2026-05-06 | CVE-2026-41004 - Medium - CVE-2026-41004: Spring Cloud Config Server Logged Sensitive Information | May 6, 2026 |
| 2026-05-06 | CVE-2026-41002 - High - CVE-2026-41002: Spring Cloud Config Server Susceptible To TOCTOU Attack | May 6, 2026 |
| 2026-05-06 | CVE-2026-40981 - High - CVE-2026-40981: Spring Cloud Config Clients Can Access Secrets From Any Project The Config Server Has Access To On Google Secrets Manager | May 6, 2026 |
| 2026-05-06 | CVE-2026-40982 - Critical - CVE-2026-40982: Directory Traversal with spring-cloud-config-server | May 6, 2026 |
| 2026-04-28 | CVE-2026-40969 - Low - CVE-2026-40969: Spring gRPC AuthenticationException message reflected to remote client | April 28, 2026 |
| 2026-04-28 | CVE-2026-40968 - Medium - CVE-2026-40968: Spring gRPC SecurityContext leaks across requests on authorization failure | April 28, 2026 |
| 2026-04-21 | CVE-2026-22752 - Critical - CVE-2026-22752: Spring Security Authorization Server Dynamic Client Registration endpoints perform insufficient validation of client metadata | April 21, 2026 |
| 2026-04-21 | CVE-2026-22751 - Medium - CVE-2026-22751: Spring Security JdbcOneTimeTokenService allows a one-time token to authenticate multiple sessions | April 21, 2026 |
| 2026-04-17 | CVE-2026-22741 - Low - CVE-2026-22741: Static resource cache poisoning in Spring MVC and WebFlux | April 17, 2026 |
| 2026-04-17 | CVE-2026-22740 - Medium - CVE-2026-22740: Spring Framework DoS with Multipart Temp Files in WebFlux | April 17, 2026 |
By the Year
In 2026 there have been 0 vulnerabilities in VMware Spring. Spring did not have any published security vulnerabilities last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 0 | 0.00 |
| 2024 | 0 | 0.00 |
| 2023 | 1 | 7.80 |
It may take a day or so for new Spring vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent VMware Spring Security Vulnerabilities
Deserialization Attack via Header in Spring-Kafka 3.0.9 (checkDeserExWhen...)
CVE-2023-34040
7.8 - High
- August 24, 2023
In Spring for Apache Kafka 3.0.9 and earlier and versions 2.9.10 and earlier, a possible deserialization attack vector existed, but only if unusual configuration was applied. An attacker would have to construct a malicious serialized object in one of the deserialization exception record headers. Specifically, an application is vulnerable when all of the following are true: * The user does not configure an ErrorHandlingDeserializer for the key and/or value of the record * The user explicitly sets container properties checkDeserExWhenKeyNull and/or checkDeserExWhenValueNull container properties to true. * The user allows untrusted sources to publish to a Kafka topic By default, these properties are false, and the container only attempts to deserialize the headers if an ErrorHandlingDeserializer is configured. The ErrorHandlingDeserializer prevents the vulnerability by removing any such malicious headers before processing the record.
Marshaling, Unmarshaling
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for VMware Spring or by VMware? Click the Watch button to subscribe.
