This Week in Spring - December 12th, 2023

Hi, Spring fans! Welcome to a new installment of This Week in Spring! We've got a ton of stuff to get into, so let's dive right in! Laur Spilca and I look at how to ugprade a Spring Security 5.x application to Spring Security 6.x. Apache SkyWalking with Sheng Wu and Apache ShardingSphere with...

spring-boot: Security Bypass With Wildcard Pattern Matching on Cloud Foundry

A flaw was found in Spring Boot. This targets specifically 'spring-boot-actuator-autoconfigure' package. This issue occurs when an application is deployed to Cloud Foundry, which could be susceptible to a security bypass. Specifically, an application is vulnerable when all of the following are...

Important: Red Hat Security Advisory: Red Hat AMQ Streams 2.6.0 release and security update

Red Hat AMQ Streams 2.6.0 is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability...

IceCMS Cross-Site Scripting Vulnerability (CNVD-2023-98191)

IceCMS is a content management system based on Spring Boot + Vue front-end and back-end separation . A cross-site scripting vulnerability exists in IceCMS version 2.0.1. The vulnerability stems from the application's lack of effective filtering and escaping of user-supplied data, which can be...

IceCMS Security Vulnerability

IceCMS is a content management system based on Spring Boot + Vue front-end and back-end separation by NgShow individual developers. A security vulnerability exists in IceCMS version 2.0.1, which stems from not fully validating the number of user requests...

VMware Spring Boot 2.7.0 - 2.7.17, 3.0.0 - 3.0.12, 3.1.0 - 3.1.5 DoS Vulnerability

VMware Spring Boot is prone to a denial of service DoS vulnerability. SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE =...

ai.timefold.solver:timefold-solver-examples (>=1.1.0 <=1.4.0), ai.timefold.solver:timefold-solver-spring-boot-starter (=1.4.0) +5822 more potentially affected by CVE-2023-6378 via ch.qos.logback:logback-core (>=1.4.0 <=1.4.11)

ch.qos.logback:logback-core MAVEN version =1.4.0, =1.1.0, =22.9.0, =22.9.0, =22.9.0, =22.9.0, =22.9.0, =23.9.0, =22.9.0, =22.9.0, =22.9.0, =22.9.0, =22.9.0, =22.9.0, =22.9.0, =23.9.1 and more Source cves: CVE-2023-6378 Source advisory: OSV:GHSA-VMQ6-5M68-F53M...

Denial Of Service (DoS)

Spring Boot is vulnerable to Denial Of Service. The vulnerability is due to parsing malicious HTTP Request without proper validation or sanitization. This issue can be exploited by an attacker via crafting mailicous HTTP Request leading to Denial Of Service. Note that the following conditions mus...

CVE-2023-34055

In Spring Boot versions 2.7.0 - 2.7.17, 3.0.0-3.0.12 and 3.1.0-3.1.5, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service DoS condition. Specifically, an application is vulnerable when all of the following are true: the application uses Spring M...

CVE-2023-34053

In Spring Framework versions 6.0.0 - 6.0.13, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service DoS condition. Specifically, an application is vulnerable when all of the following are true: the application uses Spring MVC or Spring WebFlux...

GHSA-JJFH-589G-3HJX Spring Boot Actuator denial of service vulnerability

In Spring Boot versions 2.7.0 - 2.7.17, 3.0.0-3.0.12 and 3.1.0-3.1.5, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service DoS condition. Specifically, an application is vulnerable when all of the following are true: the application uses Spring M...

be.vlaanderen.informatievlaanderen.ldes.ldio:ldio-application (=2.12.0), be.vlaanderen.informatievlaanderen.vsds:ldes-fragmentisers (>=1.1.0 <=3.4.0) +1474 more potentially affected by CVE-2023-34055 via org.springframework.boot:spring-boot-actuator (>=3.1.0 <=3.1.5)

org.springframework.boot:spring-boot-actuator MAVEN version =3.1.0, =1.1.0, =2.3.0, =1.1.0, =1.1.0, =2.10.0, =1.1.0, =1.1.0, =2.3.0, =1.1.0, =1.1.0, =1.1.0, =2.3.0, =3.6.0, =3.6.1 - be.vlaanderen.informatievlaanderen...

GHSA-V94H-HVHG-MF9H Spring Framework vulnerable to denial of service

In Spring Framework versions 6.0.0 - 6.0.13, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service DoS condition. Specifically, an application is vulnerable when all of the following are true: the application uses Spring MVC or Spring WebFlux...

ai.foremast.metrics:foremast-spring-boot-15x-starter (>=0.1.8 <=0.1.12), ai.foremast.metrics:foremast-spring-boot-1x-k8s-metrics-starter (>=0.1.6 <=0.1.7) +8011 more potentially affected by CVE-2023-34055 via org.springframework.boot:spring-boot-actuator (>=1.0.0.RELEASE <=2.7.17)

org.springframework.boot:spring-boot-actuator MAVEN version =1.0.0.RELEASE, =0.1.8, =0.1.6, =0.1.2, =0.5.0, =0.5.21, =0.5.0, =0.5.0, =0.5.0, =0.5.0, =0.5.0, =0.5.0, =0.5.0, =0.5.0, =0.5.0, =0.5.0, =0.5.24 and more Source cves: CVE-2023-34055 Source advisory: OSV:GHSA-JJFH-589G-3H...

am.ik.access-logger:access-logger (>=0.1.0 <=0.1.2), cn.herodotus.engine:event-core (=3.0.1.0) +618 more potentially affected by CVE-2023-34055 via org.springframework.boot:spring-boot-actuator (>=3.0.0 <=3.0.12)

org.springframework.boot:spring-boot-actuator MAVEN version =3.0.0, =0.1.0, =0.1.2 - cn.herodotus.engine:event-core =3.0.1.0 - cn.herodotus.engine:event-message-spring-boot-starter =3.0.1.0 - cn.herodotus.engine:event-pay-spring-boot-starter =3.0.1.0 -...

Spring Boot Actuator denial of service vulnerability

In Spring Boot versions 2.7.0 - 2.7.17, 3.0.0-3.0.12 and 3.1.0-3.1.5, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service DoS condition. Specifically, an application is vulnerable when all of the following are true: the application uses Spring M...

CVE-2023-34055

In Spring Boot versions 2.7.0 - 2.7.17, 3.0.0-3.0.12 and 3.1.0-3.1.5, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service DoS condition. Specifically, an application is vulnerable when all of the following are true: the application uses Spring M...

CVE-2023-34055

In Spring Boot versions 2.7.0 - 2.7.17, 3.0.0-3.0.12 and 3.1.0-3.1.5, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service DoS condition. Specifically, an application is vulnerable when all of the following are true: the application uses Spring M...

Design/Logic Flaw

In Spring Framework versions 6.0.0 - 6.0.13, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service DoS condition. Specifically, an application is vulnerable when all of the following are true: the application uses Spring MVC or Spring WebFlux...

UBUNTU-CVE-2023-34053

In Spring Framework versions 6.0.0 - 6.0.13, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service DoS condition. Specifically, an application is vulnerable when all of the following are true: the application uses Spring MVC or Spring WebFlux...