This Week in Spring - July 15th, 2025

Hi, Spring fans! It's already the 15th of July! We're closer to 2026 than we are to 2024. And time's sure flying. Like I will, tomorrow. I'll be flying to Denver for the amazing UBERCONF software show! I'll be doing a workshop and two talks, and if you're there, I hope you'll come say "hi"! Let's...

SpringBoot_MyBatisPlus 路径遍历漏洞

SpringBootMyBatisPlus is a SpringBoot integration with MyBatisPlus by Siwei Zhou, an individual developer. A path traversal vulnerability exists in SpringBootMyBatisPlus, which stems from path traversal due to incorrect manipulation of the parameter Name in file/file/download...

Sensitive Information Exposure

io.zipkin, zipkin-server is vulnerable to Sensitive Information Exposure. The vulnerability is due to the presence of an unprotected /heapdump endpoint associated with Spring Boot Actuator, which allows an attacker to retrieve memory dumps and potentially extract sensitive data. Note: There is a...

This Week in Spring - July 8th, 2025

Hi, Spring fans! Welcome to another installment of This Week in Spring! I write this having spent a wonderful week in paradise Bora Bora, French Polynesia, to be precise with my partner Tam Mie. We were so very sad to have to say goodbye. But that means I'm officially back at my desk, with nary a...

Security Bulletin: IBM watsonx Orchestrate Cartridge affected by vulnerability in spring-boot-2.7.12.jar

Summary IBM watsonx Orchestrate Cartridge contains a vulnerable version of spring-boot-2.7.12.jar Vulnerability Details CVEID:CVE-2023-34055 DESCRIPTION: In Spring Boot versions 2.7.0 - 2.7.17, 3.0.0-3.0.12 and 3.1.0-3.1.5, it is possible for a user to provide specially crafted HTTP requests that...

CVE-2025-53602

Zipkin through 3.5.1 has a /heapdump endpoint associated with the use of Spring Boot Actuator, a similar issue to CVE-2025-48927...

Exposure of Core Dump File to an Unauthorized Control Sphere

Overview Affected versions of this package are vulnerable to Exposure of Core Dump File to an Unauthorized Control Sphere via the heapdump endpoint, which is introduced through the use of Spring Boot Actuators. An attacker can access sensitive memory information by sending requests to this...

GHSA-794X-8X6X-QPFC Zipkin Server vulnerable to Insecure Resource Initialization through its /heapdump endpoint

Zipkin through 3.5.1 has a /heapdump endpoint associated with the use of Spring Boot Actuator, a similar issue to CVE-2025-48927...

Zipkin Server vulnerable to Insecure Resource Initialization through its /heapdump endpoint

Zipkin through 3.5.1 has a /heapdump endpoint associated with the use of Spring Boot Actuator, a similar issue to CVE-2025-48927...

CVE-2025-53602

Zipkin through 3.5.1 has a /heapdump endpoint associated with the use of Spring Boot Actuator, a similar issue to CVE-2025-48927...

CVE-2025-53602

Zipkin through 3.5.1 has a /heapdump endpoint associated with the use of Spring Boot Actuator, a similar issue to CVE-2025-48927...

CVE-2025-53602

Zipkin through 3.5.1 has a /heapdump endpoint associated with the use of Spring Boot Actuator, a similar issue to CVE-2025-48927...

CVE-2025-53602

CVE-2025-53602 affects Zipkin up to version 3.5.1 with a /heapdump endpoint (via Spring Boot Actuator). The root cause is exposure of sensitive heap memory information leading to potential information disclosure. The CVE is linked to related advisories (e.g., GHSA-794X-8X6X-QPFC) describing insec...

PT-2025-28022 · Zipkin +1 · Zipkin +1

Name of the Vulnerable Software and Affected Versions: Zipkin versions prior to 3.5.2 Description: The issue is related to the exposure of heap dump information through the "/heapdump" endpoint, which is associated with the use of Spring Boot Actuator. This endpoint is similar to a previously...

CVE-2025-53602

Zipkin through 3.5.1 has a /heapdump endpoint associated with the use of Spring Boot Actuator, a similar issue to CVE-2025-48927...

This Week in Spring - July 1st, 2025

Hi, Spring fans! Welcome to another installment of This Week in Spring! It's July!! This week, I'm on PTO, and as always, I'm looking for good reading material on the plane ride over for my holiday. Thank goodness for the ever-vibrant and awesome Spring community; there's tons of stuff to dive...

TeleMessage TM SGNL Initialization of a Resource with an Insecure Default Vulnerability

TeleMessage TM SGNL contains an initialization of a resource with an insecure default vulnerability. This vulnerability relies on how the Spring Boot Actuator is configured with an exposed heap dump endpoint at a /heapdump URI...

X-SpringBoot 路径遍历漏洞

X-SpringBoot is a lightweight Java rapid development platform for czx individual developers. X-SpringBoot 5.0 and previous versions of path traversal vulnerability exists, the vulnerability stems from the wrong operation of the parameter File in the file /sys/oss/upload/apk, resulting in path...

Exploit for CVE-2024-38819

CVE-2024-38819: Proof of Concept PoC This is a proof of con...

CVE-2025-6108

A vulnerability was found in hansonwang99 Spring-Boot-In-Action up to 807fd37643aa774b94fd004cc3adbd29ca17e9aa. It has been declared as critical. Affected by this vulnerability is the function watermarkTest of the file...