186 matches found
EUVD-2018-19263
Malware in sbrugna...
EUVD-2020-17929
Malware in sbrugna...
EUVD-2023-0845
Malicious code in bioql PyPI...
EUVD-2024-1035
Malicious code in bioql PyPI...
Securing MCP Servers with Spring AI
Model Context Protocol, or MCP for short, has taken over the AI world. If you've been following our blog, you've probably read the introduction to the topic, Connect Your AI to Everything: Spring AI's MCP Boot Starters. The security aspects of MCP have been evolving fast, and the latest version o...
Spring Authorization Server moving to Spring Security 7.0
Spring Authorization Server has come a long way since 1.0 was officially released in November 2022. Starting as a project separate from Spring Security, has allowed it to iterate quickly on feature development and ultimately grow a rich feature set for building OAuth2 Authorization Servers. It ha...
CVE-2025-58062
CVE-2025-58062 affects LSTM-Kirigaya’s openmcp-client (VSCode plugin for MCP developers) prior to version 0.1.12. On Windows, if a user connects to an attacker-controlled MCP server, an attacker can provision a malicious authorization server endpoint that enables an OS command injection in the op...
CVE-2025-58062 LSTM-Kirigaya's openmcp-client Vulnerable to RCE in MCP Authorization Flow
LSTM-Kirigaya's openmcp-client is a vscode plugin for mcp developer. Prior to version 0.1.12, when users on a Windows platform connect to an attacker controlled MCP server, attackers could provision a malicious authorization server endpoint to silently achieve an OS command injection attack in th...
This Week in Spring - August 26th, 2025
Hi, Spring fans! Welcome to another installment of This Week in Spring! I'm writing this from the floor of SpringOne, live from lovely Las Vegas! As you can imagine, I've got to get back into it, so we'll make this one a quick one. And if you're here, be sure to say "hi"! In last week's A Bootifu...
This Week in Spring - August 19th, 2025
Hi, Spring fans! Welcome to another extra special installment of This Week in Spring - special because the next installment will be delivered from the floors of the Ventian where the extraordinairily awesome SpringOne 2025 event will take place! So, some poetry: T’was the Week Before SpringOne...
OAuth Dynamic Client Registration Detected
This is an informational plugin to inform the user that the scanner has detected a publicly accessible OAuth Dynamic Client Registration endpoint on the target application. OAuth Dynamic Client Registration allows clients to register dynamically with an authorization server and is very common in...
CVE-2024-22258
Spring Authorization Server versions 1.0.0 - 1.0.5, 1.1.0 - 1.1.5, 1.2.0 - 1.2.2 and older unsupported versions are susceptible to a PKCE Downgrade Attack for Confidential Clients. Specifically, an application is vulnerable when a Confidential Client uses PKCE for the Authorization Code Grant. An...
CVE-2025-4143
The OAuth implementation in workers-oauth-provider that is part of MCP framework https://github.com/cloudflare/workers-mcp , did not correctly validate that redirecturi was on the allowed list of redirect URIs for the given client registration. Fixed in: ...
Securing Spring AI MCP servers with OAuth2
Spring AI offers support for Model Context Protocol, or MCP for short, which allows AI models to interact with and access external tools and resources in a structured way. With Spring AI, developers can create their own MCP Servers and expose capabilities to AI models in just a few lines of code...
This Week in Spring – March 18th, 2025
Hi, Spring fans! I just got back from the amazing JavaOne show held in Redwood Shores. It was a fun, uproarious event and a great chance to reconnect with tons of friends, old and new. I love this community! One of the central highlights of this show? Java 24 is here, finally! And, as usual, we'v...
CVE-2025-27370
OpenID Connect Core through 1.0 errata set 2 allows audience injection in certain situations. When the privatekeyjwt authentication mechanism is used, a malicious Authorization Server could trick a Client into writing attacker-controlled values into the audience, including token endpoints or issu...
CVE-2025-27370
OpenID Connect Core through 1.0 errata set 2 allows audience injection in certain situations. When the privatekeyjwt authentication mechanism is used, a malicious Authorization Server could trick a Client into writing attacker-controlled values into the audience, including token endpoints or issu...
CVE-2025-27370
OpenID Connect Core through 1.0 errata set 2 allows audience injection in certain situations. When the privatekeyjwt authentication mechanism is used, a malicious Authorization Server could trick a Client into writing attacker-controlled values into the audience, including token endpoints or issu...
CVE-2025-27370
CVE-2025-27370 concerns OpenID Connect Core through 1.0 errata set 2. when private_key_jwt authentication is used, an attacker-controlled Authorization Server can induce a Client to accept a manipulated audience value (e.g., other token endpoints or issuer identifiers). This audience injection co...
CVE-2025-27370
OpenID Connect Core through 1.0 errata set 2 allows audience injection in certain situations. When the privatekeyjwt authentication mechanism is used, a malicious Authorization Server could trick a Client into writing attacker-controlled values into the audience, including token endpoints or issu...