GHSA-49MJ-77Q5-QW5G Spring Batch Admin vulnerable to Stored Cross-site scripting (XSS) in the file upload functionality

Stored Cross-site scripting XSS vulnerability in Spring Batch Admin before 1.3.0 allows remote authenticated users to inject arbitrary JavaScript or HTML via the file upload functionality...

com.mozu:mozu-api-jobs (>=1.0.13 <=1.0.23), gradle.plugin.com.atc.gradle.plugins.xd:spring-xd-deploy-plugin (>=0.0.1 <=0.0.8) +25 more potentially affected by CVE-2018-1229 via org.springframework.batch:spring-batch-admin-manager (>=1.3.0.RELEASE <=1.3.1.RELEASE)

org.springframework.batch:spring-batch-admin-manager MAVEN version =1.3.0.RELEASE, =1.0.13, =0.0.1, =1.3.1.RELEASE, =1.6.0.RELEASE, =1.0.0.RELEASE, =1.0.0.RELEASE, =1.1.0.RELEASE, =1.0.0.RELEASE, =1.0.0.RELEASE, =1.0.0.RELEASE, =1.1.0.RELEASE, =1.7.3.RELEASE -...

Cross-site Scripting in Pivotal Spring Batch Admin

Pivotal Spring Batch Admin, all versions, contains a stored XSS vulnerability in the file upload feature. An unauthenticated malicious user with network access to Spring Batch Admin could store an arbitrary web script that would be executed by other users. This issue has not been patched because...

GHSA-4CJ8-779H-R25H Cross-site Scripting in Pivotal Spring Batch Admin

Pivotal Spring Batch Admin, all versions, contains a stored XSS vulnerability in the file upload feature. An unauthenticated malicious user with network access to Spring Batch Admin could store an arbitrary web script that would be executed by other users. This issue has not been patched because...

This Week in Spring - March 29th, 2022

Aloha, Spring fans, from beautiful Maui, Hawaii, where I am with my family on a bit of vacation. Its our daughters Spring break and so were enjoying the family time while we can get it! I wanted to take a brief interlude in between the never-enough time on the beach and all the rum to get this...

spring-batch: XML External Entity Injection (XXE) when receiving XML data from untrusted sources

Spring Batch versions 3.0.9, 4.0.1, 4.1.0, and older unsupported versions, were susceptible to XML External Entity Injection XXE when receiving XML data from untrusted sources...

Remote Code Execution

spring-batch-core is vulnerable to remote code execution. The upgrade of Jackson in 4.2.3.RELEASE enabled default typing by default and resulted in Spring Batch to be vulnerable to untrusted deserialization. An attacker will be able to execute arbitrary code if ExecutionContext is serialized and...

CVE-2020-5411

When configured to enable default typing, Jackson contained a deserialization vulnerability that could lead to arbitrary code execution. Jackson fixed this vulnerability by blacklisting known "deserialization gadgets". Spring Batch configures Jackson with global default typing enabled which means...

VMware Spring Batch Code Execution Vulnerability

VMware Spring Batch is a lightweight framework for parallel processing of large amounts of data from VMware. A code execution vulnerability exists in the Jackson configuration in VMware Spring Batch versions 4.0.0 through 4.0.4, 4.1.0 through 4.1.4, and 4.2.0 through 4.2.2, which can be exploited...

CVE-2020-5411

When configured to enable default typing, Jackson contained a deserialization vulnerability that could lead to arbitrary code execution. Jackson fixed this vulnerability by blacklisting known "deserialization gadgets". Spring Batch configures Jackson with global default typing enabled which means...

CVE-2020-5411

When configured to enable default typing, Jackson contained a deserialization vulnerability that could lead to arbitrary code execution. Jackson fixed this vulnerability by blacklisting known "deserialization gadgets". Spring Batch configures Jackson with global default typing enabled which means...

Deserialization of untrusted data

When configured to enable default typing, Jackson contained a deserialization vulnerability that could lead to arbitrary code execution. Jackson fixed this vulnerability by blacklisting known "deserialization gadgets". Spring Batch configures Jackson with global default typing enabled which means...

CVE-2020-5411 Jackson Configuration Allows Code Execution with Unknown "Serialization Gadgets"

When configured to enable default typing, Jackson contained a deserialization vulnerability that could lead to arbitrary code execution. Jackson fixed this vulnerability by blacklisting known "deserialization gadgets". Spring Batch configures Jackson with global default typing enabled which means...

CVE-2020-5411

CVE-2020-5411 affects VMware Spring Batch (and IBM DRM aggregations) where Jackson default typing enables deserialization of untrusted data, potentially allowing arbitrary code execution if a malicious actor can write to the JobRepository data store. Connected advisories confirm the root cause: u...

Spring Batch Installed

Binary data pivotalsoftwarespringbatchinstalled.nbin...

CVE-2019-3774

Spring Batch versions 3.0.9, 4.0.1, 4.1.0, and older unsupported versions, were susceptible to XML External Entity Injection XXE when receiving XML data from untrusted sources...

Low severity vulnerability that affects org.springframework.batch:spring-batch-core

Spring Batch versions 3.0.9, 4.0.1, 4.1.0, and older unsupported versions, were susceptible to XML External Entity Injection XXE when receiving XML data from untrusted sources...

com.github.chrisgleissner:spring-batch-rest-api (>=1.0.3 <=1.2.7), com.github.chrisgleissner:spring-batch-rest-example (>=1.0.3 <=1.2.7) +7 more potentially affected by CVE-2019-3774 via org.springframework.batch:spring-batch-core (=4.1.0.RELEASE)

org.springframework.batch:spring-batch-core MAVEN version =4.1.0.RELEASE is affected by a known vulnerability. The following packages have a transitive dependency on org.springframework.batch:spring-batch-core and may be impacted: - com.github.chrisgleissner:spring-batch-rest-api =1.0.3, =1.0.3,...

be.dnsbelgium:rdap-server (>=0.3.3 <=1.1.0), com.bazoud.metrics:metrics-spring-batch (=1.0) +135 more potentially affected by CVE-2019-3774 via org.springframework.batch:spring-batch-core (>=1.0.0.FINAL <=3.0.0.RELEASE)

org.springframework.batch:spring-batch-core MAVEN version =1.0.0.FINAL, =0.3.3, =0.0.4, =0.2.4, =0.1.0, =1.0.2, =1.0.2, =1.3, =0.3.1, =0.2.0, =0.2.3 and more Source cves: CVE-2019-3774 Source advisory: OSV:GHSA-3WC8-659G-R88Q...

cloud.altemista.fwk.batch:cloud-altemistafwk-core-batch-spring (>=3.0.0.RELEASE <=3.0.1.RELEASE), cloud.altemista.fwk.batch:cloud-altemistafwk-core-batch-spring-conf (>=3.0.0.RELEASE <=3.0.1.RELEASE) +46 more potentially affected by CVE-2019-3774 via org.springframework.batch:spring-batch-core (>=4.0.0.RELEASE <=4.0.1.RELEASE)

org.springframework.batch:spring-batch-core MAVEN version =4.0.0.RELEASE, =3.0.0.RELEASE, =3.0.0.RELEASE, =3.0.0, =1.0.0, =1.0.1, =1.0.0, =1.0.1, =2.0.0.RELEASE, =2.0.0.RELEASE, =2.0.1.RELEASE and more Source cves: CVE-2019-3774 Source advisory: OSV:G...