215 matches found
spring-security-webflux: path wildcard leads to security bypass
A flaw was found in Spring Security's WebFlux framework pattern matching, where it does not properly evaluate certain patterns. A server using path-based pattern matching in WebFlux could allow an attacker to bypass security settings for some request paths, potentially leading to information...
Authentication Bypass
org.apache.shiro: shiro-spring is vulnerable to Authentication Bypass. The vulnerability is due to different pattern matching techniques between Spring-Boot 2.6+ and Apache Shiro. This can result in an authentication bypass. As a workaround, set the following Spring Boot configuration value:...
CVE-2023-34034
A flaw was found in Spring Security's WebFlux framework pattern matching, where it does not properly evaluate certain patterns. A server using path-based pattern matching in WebFlux could allow an attacker to bypass security settings for some request paths, potentially leading to information...
Apache Shiro < 1.11.0 Authentication Bypass
Apache Shiro before 1.11.0, when using Apache Shiro with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass. The authentication bypass occurs when Shiro and Spring Boot are using different pattern-matching techniques. Both Shiro and Spring Boot 2.6 default to An...
Hello, Java 21
Hi, Spring fans! Get the bits Before we get started, do something for me quickly. If you haven’t already, go install SKDMAN. Then run: sdk install java 21-graalce && sdk default java 21-graalce There you have it. You now have Java 21 and graalvm supporting Java 21 on your machine, ready to go. Ja...
Spring Tips: Making the joyful jump to Java 21
Hi, Spring fans! Java 21 and GraalVM supporting Java 21 are at long last here! It's been a long time in coming, but Java 21 - which comes out later today on the 19th of September, 2023 - brings with it some of the most exciting new features of any Java release. In this video, I will look at some ...
Huawei EulerOS: Security Advisory for curl (EulerOS-SA-2023-2635)
The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...
CVE-2023-41362
MyBB before 1.8.36 allows Code Injection by users with certain high privileges. Templates in Admin CP intentionally use eval, and there was some validation of the input to eval, but type juggling interfered with this when using PCRE within PHP...
Medium: curl
Issue Overview: libcurl offers a feature to verify an SSH server's public key using a SHA 256 hash. When this check fails, libcurl would free the memory for the fingerprint before it returns an error message containing the now freed hash. This flaw risks inserting sensitive heap-based data into t...
Improper Access Control
org.springframework.security:spring-security-config is vulnerable to Improper Access Control. The vulnerability exists due to lack of checks in multiple files, which allows an attacker to use as a pattern in the configurations for WebFlux, creating a mismatch in pattern matching, resulting in a...
Access Control Bypass in Spring Security
Using "" as a pattern in Spring Security configuration for WebFlux creates a mismatch in pattern matching between Spring Security and Spring WebFlux, and the potential for a security bypass...
CVE-2023-34034
Using "" as a pattern in Spring Security configuration for WebFlux creates a mismatch in pattern matching between Spring Security and Spring WebFlux, and the potential for a security bypass...
CVE-2023-34034
Using "" as a pattern in Spring Security configuration for WebFlux creates a mismatch in pattern matching between Spring Security and Spring WebFlux, and the potential for a security bypass...
CVE-2023-34034
Using "" as a pattern in Spring Security configuration for WebFlux creates a mismatch in pattern matching between Spring Security and Spring WebFlux, and the potential for a security bypass...
CVE-2023-34034
Using "" as a pattern in Spring Security configuration for WebFlux creates a mismatch in pattern matching between Spring Security and Spring WebFlux, and the potential for a security bypass...
CVE-2023-34034
CVE-2023-34034 is documented in IBM security bulletins as affecting VMware Tanzu Spring Security when using "**" as a pattern in WebFlux configuration, causing a pattern-matching bypass. The IBM bulletin assigns a CVSS v3.0 base score of 9.1 (Impact: Confidentiality High, Integrity High, Availabi...
VMware Spring Security 安全漏洞
VMware Spring Security is a suite of security frameworks from VMware that provide illustrative security protection for Spring-based applications. A security vulnerability exists in VMware Spring Security that stems from the presence of a pattern matching mismatch that could lead to a security...
PCRE2 输入验证错误漏洞
PCRE2 is PCRE2Project open source set of C functions. Use the same syntax and semantics as Perl5 to achieve regular expression pattern matching . A security vulnerability exists in PCRE2 versions prior to 10.41, which stems from an integer overflow problem in pcre2test that allows an attacker to...
Security Bulletin: Vulnerability in Spring Framework affects IBM Process Mining [CVE-2023-20860]
Summary There is a vulnerability in Spring Framework that could allow a remote authenticated attacker to bypass security restrictions. The code is used by IBM Process Mining. This bulletin identifies the security fixes to apply to address the vulnerability. CVE-2023-20860 Vulnerability Details...
Administration Console authentication bypass in openfire xmppserver
An important security issue affects a range of versions of Openfire, the cross-platform real-time collaboration server based on the XMPP protocol that is created by the Ignite Realtime community. Impact Openfire's administrative console the Admin Console, a web-based application, was found to be...