VMware Spring Framework
Moderate fix4 remedies
cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*
Moderate fix4 remedies
- >= 6.2.0, <= 6.2.6
- >= 6.1.0, <= 6.1.19
- >= 6.0.0, <= 6.0.27
- >= 5.3.0, <= 5.3.42
VMware Spring Framework Disallowed Fields Bypass Vulnerability
Vulnerability
Patched
A vulnerability exists in VMware Spring Framework versions 5.3.0 through 5.3.42, 6.0.0 through 6.0.27, 6.1.0 through 6.1.19, and 6.2.0 through 6.2.6, as well as older, unsupported versions. This vulnerability allows for bypassing disallowed fields checks, despite a previous fix that ensured locale-independent, lowercase conversion for request parameter names and disallowed fields patterns. The issue can be exploited in scenarios where the disallowed fields checks can be circumvented.
Impact
Exploitation of this vulnerability allows for bypassing disallowed fields checks, which could lead to unintended data binding or manipulation.
Remediation
Users of affected Spring Framework versions should upgrade to 6.2.7 (OSS), 6.1.20 (OSS), 6.0.28 (Commercial), or 5.3.43 (Commercial). For guidance on model design, refer to the Spring Framework reference documentation.
Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM
Vulnerability Rating
Custom Algorithm
spread
7.8impact
0.6exploitability
3.3remediation
7.7relevance
0.0threat
0.0urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.