Security Bulletin: IBM Cloud Pak for Network Automation 2.6 addresses multiple security vulnerabilities

Summary IBM Cloud Pak for Network Automation 2.6 addresses multiple security vulnerabilities, listed in the CVEs below. Vulnerability Details CVEID:CVE-2022-25647 DESCRIPTION: Google Gson is vulnerable to a denial of service, caused by the deserialization of untrusted data. By using the...

Security Update for Microsoft Visual Studio Code Spring Boot Tools Extension (CVE-2022-31691)

The Microsoft Visual Studio Code Spring Boot Tools Extension is version 1.39.0 or below. It is, therefore, affected by a remote code execution vulnerability. The extension uses the Snakeyaml library for YAML editing support. This library allows for some special syntax in the YAML that under certa...

My SpringOne 2023 Recap

Hi, Spring fans! Look, it's Monday after the first in-person SpringOne of the 2020s and the first since the pandemic, and, being honest, I'm bushed! Vegas is a dizzying, sensational, overwhelming, exciting experience, and SpringOne is too. But it was worth it. The SpringOne show surpassed all...

This Week in Spring - August 29th, 2023 - the post SpringOne recovery blog

Hi, Spring fans! Welcome to another installment of This Week in Spring! I'm exhausted. Seriously. Last week was mental. If you need me, I'll be over sipping on a tea... But, before that, there's a ton of things to cover from this last week, as always, and there's no rest for the curious, so let's...

Tackling the OAuth2 Client component model in Spring Security

In Spring Security 5, we saw many developments in the OAuth2 story with the introduction of OAuth2 Resource Server and OAuth2 Client into the framework. Today, it is quite convenient to develop applications that are secured by OAuth2 using the features available in OAuth2 Resource Server...

Mini-Tmall SQL注入漏洞

Mini-Tmall is a Spring Boot-based mini-Tmall mall, fast deployment runtime, suitable for use as a Bijou template. Mini-Tmall suffers from a SQL injection vulnerability, which stems from the fact that incorrect manipulation of the parameter orderBy can lead to sql injection...

Important: Red Hat Security Advisory: Red Hat support for Spring Boot 2.7.13 security update

An update is now available for Red Hat OpenShift Application Runtimes. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from t...

CVE-2023-20873

A flaw was found in Spring Boot. This targets specifically 'spring-boot-actuator-autoconfigure' package. This issue occurs when an application is deployed to Cloud Foundry, which could be susceptible to a security bypass. Specifically, an application is vulnerable when all of the following are...

com.arassec.igor:igor-spring-boot-starter (>=0.6.7 <=0.6.8), com.arassec.igor:igor-standalone (>=0.6.7 <=0.6.8) +211 more potentially affected by CVE-2023-3894 via com.fasterxml.jackson.dataformat:jackson-dataformat-toml (>=2.12.3 <=2.14.2)

com.fasterxml.jackson.dataformat:jackson-dataformat-toml MAVEN version =2.12.3, =0.6.7, =0.6.7, =0.6.7, =0.0.1, =0.18.3, =0.18.3, =0.18.3, =0.18.3, =0.18.3, =0.18.3, =2023.2, =1.1.6, =3.0.0-snapshot.20240126.12648.0.va9dc2d63, =3.0.0-snapshot.20240126.12648.0.va9dc2d63,...

Security Bulletin: IBM Cloud Pak for Security includes components with multiple known vulnerabilities

Summary IBM Cloud Pak for Security includes components with known vulnerabilities. These have been updated in the latest release and vulnerabilities have been addressed. Please follow the instructions in the Remediation/Fixes section below to update to the latest version of Cloud Pak for Security...

Security Bulletin: VMware Tanzu Spring Boot is vulnerable to CVE-2023-20883 used in IBM Maximo Application Suite - Monitor Component

Summary IBM Maximo Application Suite - Monitor Component uses VMware Tanzu Spring Boot which is vulnerable to CVE-2023-20883. Vulnerability Details CVEID:CVE-2023-20883 DESCRIPTION: VMware Tanzu Spring Boot is vulnerable to a denial of service, caused by a flaw when Spring MVC is used together wi...

Exploit for SQL Injection in Apache Log4J

CVE-2022-23305 Log4j JDBCAppender sql injection POC This is a...

ai.aitia:arrowhead-application-library-java-spring (>=4.4.0.2 <=4.6.0.0), ai.ylyue:yue-library-auth-client (=j11.2.6.0) +828 more potentially affected by CVE-2023-34034 via org.springframework.security:spring-security-config (>=5.6.0 <=5.6.10)

org.springframework.security:spring-security-config MAVEN version =5.6.0, =4.4.0.2, =0.2.0, =2.1.0.M8, =2.7.0.Beta1, =2.7.0.Beta1, =2.7.0.Beta1, =2.7.0.Beta1, =0.0.1, =0.0.6 - com.atlassian.connect:atlassian-connect-spring-boot-api =2.2.7 - com.atlassian.connect:atlassian-connect-spring-boot-core...

Important: Red Hat Security Advisory: Red Hat Build of OptaPlanner 8.38.0 for Quarkus 2.13.8 security update

Red Hat Build of OptaPlanner 8.38.0 for Quarkus 2.13.8 release and security update is now available. The purpose of this text-only errata is to inform you about the security issues fixed. Red Hat Product Security has rated this update as having an impact of Important. A Common Vulnerability Scori...

Security Bulletin: IBM InfoSphere Information Server is affected by multiple vulnerabilities in VMware Tanzu Spring Boot

Summary Multiple vulnerabilities in VMware Tanzu Spring Boot used by IBM InfoSphere Information Server were addressed. Vulnerability Details CVEID:CVE-2023-20883 DESCRIPTION: VMware Tanzu Spring Boot is vulnerable to a denial of service, caused by a flaw when Spring MVC is used together with a...

ai.hyacinth.framework:core-service-admin-server (>=0.5.0 <=0.5.24), cn.home1:oss-admin (>=1.0.6.OSS <=1.0.7.OSS) +56 more potentially affected by CVE-2023-38286 via de.codecentric:spring-boot-admin-server (>=1.0.2 <=2.7.15)

de.codecentric:spring-boot-admin-server MAVEN version =1.0.2, =0.5.0, =1.0.6.OSS, =1.2.3-RELEASE, =3.0.3.RELEASE, =1.0.0, =1.1.3, =3.0.10, =1.0.0, =5.0.18, =1.5.0-Beta, =1.5.1-RC - com.wudgaby.platform:health-admin-server =1.0.5 and more Source cves: CVE-2023-38286 Source advisory:...

GHSA-7GJ7-224W-VPR3 Spring-boot-admin sandbox bypass via crafted HTML

Thymeleaf through 3.1.1.RELEASE as used in spring-boot-admin aka Spring Boot Admin through 3.1.1 allows for a sandbox bypass via crafted HTML. This may be relevant for SSTI Server Side Template Injection and code execution in spring-boot-admin if MailNotifier is enabled and there is write access ...

Spring-boot-admin sandbox bypass via crafted HTML

Thymeleaf through 3.1.1.RELEASE as used in spring-boot-admin aka Spring Boot Admin through 3.1.1 allows for a sandbox bypass via crafted HTML. This may be relevant for SSTI Server Side Template Injection and code execution in spring-boot-admin if MailNotifier is enabled and there is write access ...

com.netcetera.girders.demos:girders-demo-adminserver (>=6.0.0 <=6.1.0), com.senzhikong:depend-cloud-monitor (>=1.1.0 <=1.1.1) +11 more potentially affected by CVE-2023-38286 via de.codecentric:spring-boot-admin-server (>=3.0.0 <=3.1.1)

de.codecentric:spring-boot-admin-server MAVEN version =3.0.0, =6.0.0, =1.1.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =7.0.0-RC4, =7.0.0-RC6 Source cves: CVE-2023-38286 Source advisory: OSV:GHSA-7GJ7-224W-VPR3...

CVE-2023-38286

Thymeleaf through 3.1.1.RELEASE, as used in spring-boot-admin aka Spring Boot Admin through 3.1.1 and other products, allows sandbox bypass via crafted HTML. This may be relevant for SSTI Server Side Template Injection and code execution in spring-boot-admin if MailNotifier is enabled and there i...