Security Bulletin: IBM Operational Decision Manager June 2023 - Multiple CVEs

Summary This Security Bulletin addresses the security vulnerabilities that have been fixed within the IBM Operational Decision Manager. This product now includes fixes for the following security vulnerabilities. Vulnerability Details CVEID:CVE-2023-20883 DESCRIPTION: VMware Tanzu Spring Boot is...

Docker Compose Support in Spring Boot 3.1

Docker Compose support in Spring Boot 3.1 builds on top of the ConnectionDetails abstraction, which we've featured in a separate blog post. If you haven't already read it, please do so before reading this post. Docker Compose "is a tool for defining and running multi-container Docker applications...

Exploit for SQL Injection in Jeecg Jeecg-Boot

CVE-2023-1454 Jeecg-Boot-qurestSql-SQLvuln jmreport/qurestSq...

This Week in Spring - June 20th, 2023

Hi, Spring fans! Welcome to another installment of This Week in Spring! I'm in Sydney, Australia, talking to customers, koalas, kangaroos, and whoever else will listen! I'll be doing a live presentation, tonight at the Microsoft Reactor here in Sydney. Register now and come join me! As usual, we'...

Spring Boot 3.1's ConnectionDetails abstraction

If you've used Spring Boot for a while, you're probably familiar with setting up connection details using properties. For example, you may have used spring.datasource.url to configure a JDBC connection. In Spring Boot 3.1 this continues to work as you'd expect, but we've changed things a bit unde...

Important: Red Hat Security Advisory: Red Hat Integration Camel for Spring Boot 3.18.3 Patch 2 release

Camel for Spring Boot 3.18.3 Patch 2 release and security update is now available. Red Hat Product Security has rated this update as having an impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability fr...

spring-boot: Spring Boot Welcome Page DoS Vulnerability

A flaw was found in Spring Boot, occurring prominently in Spring MVC with a reverse proxy cache. This issue requires Spring MVC to have auto-configuration enabled and the application to use Spring Boot's welcome page support, either static or templated, resulting in the application being deployed...

This Week in Spring - June 13th, 2023

This Month in Spring - June 13th, 2023 Hi, Spring fans! Welcome to another installment of This Week in Spring! I am in beautiful Taipei, eating delicious food and meeting amazing people in the sweltering weather. How're you doin'? I've got to join a meeting, so I'll make this quick. One quick thi...

K000134945: Spring Boot vulnerability CVE-2022-46166

Security Advisory Description Spring boot admins is an open source administrative user interface for management of spring boot applications. All users who run Spring Boot Admin Server, having enabled Notifiers e.g. Teams-Notifier and write access to environment variables via UI are affected. User...

Securing Spring Boot Applications With SSL

Secure Sockets Layer SSL and Transport Layer Security TLS are key components of securing communications between systems in a layered or service-oriented architecture. Spring Boot applications in such an architecture often accept incoming network connections or create outgoing connections, and...

A Bootiful Podcast: Spring Boot team member Moritz Halbritter (@m_halbritter)

Hi, Spring fans! In this installment Josh Long YouTube.com/@coffeesoftware.com talks to Spring Boot team member Moritz Halbritter @mhalbritter...

Denial Of Service (DoS)

spring-boot-autoconfigure is vulnerable to Denial Of Service DoS. The vulnerability is applicable when the application has Spring MVC auto-configuration enabled and uses the Spring Boot welcome page, which can be either static or templated, and the application is deployed behind a proxy which...

IceCMS Cross-Site Scripting Vulnerability

IceCMS is a content management system based on Spring Boot + Vue front-end and back-end separation . IceCMS v1.0.0 version exists cross-site scripting vulnerability, the vulnerability stems from the application of the user-supplied data lack of effective filtering and escaping, an attacker can...

IceCMS Access Control Error Vulnerability

IceCMS is a content management system based on Spring Boot + Vue front-end and back-end separation . An access control error vulnerability exists in IceCMS v1.0.0, which stems from improper access control in the system and can be exploited by an attacker to cause sensitive information leakage...

ai.ylyue:yue-library-base (=j11.2.6.2), ai.ylyue:yue-library-data-es (=j11.2.6.2) +3471 more potentially affected by CVE-2023-20883 via org.springframework.boot:spring-boot-autoconfigure (>=2.6.0 <=2.6.14)

org.springframework.boot:spring-boot-autoconfigure MAVEN version =2.6.0, =2.2.53, =0.23.9, =0.1.2, =5.7.0, =5.7.7, =5.7.0, =6.4.7 and more Source cves: CVE-2023-20883 Source advisory: OSV:GHSA-XF96-W227-R7C4...

GHSA-XF96-W227-R7C4 Spring Boot Welcome Page Denial of Service

In Spring Boot versions 3.0.0 - 3.0.6, 2.7.0 - 2.7.11, 2.6.0 - 2.6.14, 2.5.0 - 2.5.14 and older unsupported versions, there is potential for a denial-of-service DoS attack if Spring MVC is used together with a reverse proxy cache. Specifically, an application is vulnerable if all of the condition...

ai.timefold.solver:timefold-solver-spring-boot-autoconfigure (>=0.8.38 <=0.8.39), ai.timefold.solver:timefold-solver-spring-boot-starter (>=0.8.38 <=0.8.39) +4743 more potentially affected by CVE-2023-20883 via org.springframework.boot:spring-boot-autoconfigure (>=2.7.0 <=2.7.11)

org.springframework.boot:spring-boot-autoconfigure MAVEN version =2.7.0, =0.8.38, =0.8.38, =v0.16.1, =v0.16.1, =v0.16.1, =1.0.0, =5.3.1, =2.2.94, =0.23.48, =0.1.13, =1.9, =1.10 - ca.uhn.hapi.fhir:hapi-fhir-spring-boot-autoconfigure =6.6.0 -...

ai.aitia:arrowhead-application-library-java-spring (>=4.4.0.0 <=4.4.0.1), ai.djl.spring:djl-spring-boot-starter-autoconfigure (>=0.2 <=0.11) +26949 more potentially affected by CVE-2023-20883 via org.springframework.boot:spring-boot-autoconfigure (>=1.0.0.RELEASE <=2.5.14)

org.springframework.boot:spring-boot-autoconfigure MAVEN version =1.0.0.RELEASE, =4.4.0.0, =0.2, =0.2, =0.2, =0.2, =0.2, =0.2, =0.5, =0.0.12, =0.1.8, =0.1.6, =0.1.2, =0.0.6, =0.0.11, =0.0.51 and more Source cves: CVE-2023-20883 Source advisory: OSV:GHSA-XF96-W227-R7C4...

ai.timefold.solver:timefold-solver-spring-boot-autoconfigure (>=0.9.38 <=0.9.39), ai.timefold.solver:timefold-solver-spring-boot-starter (>=0.9.38 <=0.9.39) +3806 more potentially affected by CVE-2023-20883 via org.springframework.boot:spring-boot-autoconfigure (>=3.0.0 <=3.0.6)

org.springframework.boot:spring-boot-autoconfigure MAVEN version =3.0.0, =0.9.38, =0.9.38, =2.0.0, =3.0.0, =2.9.9, =0.25.3, =0.1.43, =0.1.65 - cc.vihackerframework:vihacker-annotation =1.0.8.R - cc.vihackerframework:vihacker-auth-starter =1.0.8.R - cc.vihackerframework:vihacker-common-starter...

Spring Boot Welcome Page Denial of Service

In Spring Boot versions 3.0.0 - 3.0.6, 2.7.0 - 2.7.11, 2.6.0 - 2.6.14, 2.5.0 - 2.5.14 and older unsupported versions, there is potential for a denial-of-service DoS attack if Spring MVC is used together with a reverse proxy cache. Specifically, an application is vulnerable if all of the condition...