Security Bulletin: IBM Planning Analytics Workspace is affected by vulnerabilities in Node.js and Spring Data MongoDB

Summary IBM Planning Analytics Workspace is affected by vulnerabilties in Node.js and Spring Data MongoDB CVE-2022-32212, CVE-2022-32213, CVE-2022-32223, CVE-2022-32214, CVE-2022-32222, CVE-2022-32215, CVE-2022-22980 Vulnerability Details CVEID:CVE-2022-32212 DESCRIPTION: Node.js could allow a...

The vulnerability of the SimpleEvaluationContext class in the Spring Data Commons data management platform and the Spring Data REST framework for creating web services allows a attacker to execute arbitrary code.

The vulnerability of the SimpleEvaluationContext class in the Spring Data Commons data management platform and the Spring Data REST web framework is related to insufficient validation of input data. Exploiting this vulnerability allows an attacker to execute arbitrary code by sending specially...

This Week in Spring - November 8th, 2022

Hi, Spring fans! Welcome to another installment of This Week in Spring! Ive been busy this last week! Ive been visiting with customers and talking to the community here in South East Asia. I was in Malaysia last week, and now Im in Bangkok, Thailand. Im near the end of my time here in SE Asia,...

This Week in Spring - October 18th, 2022

Hi, Spring fans! Howre you doin? Im doin alright! Last week I was in Antwerp, Belgium, for the amazing Devoxx BE show. I did a presentation with my friend and hero James Ward on Spring and Kotlin that was voted third most-liked talk at a show with more than 250 speakers! That was a personal caree...

Spring at JavaOne 2022

Hi, Spring fans! Its Sunday the 16th of October as I write this and Im winging my way to sunny Las Vegas, Nevada, where Ill be attending and presenting at the first JavaOne show in years! It didnt exist as the JavaOne we know and love for years, even before the pandemic interrupted life as we kno...

Information Disclosure

spring-data-rest-webmvc is vulnerable to information disclosure. The vulnerability exists due to the improper implementation of the JSON patch in the library, allowing an attacker to get information about the hidden entity attributes through maliciously crafted HTTP requests...

app.commerce-io:spring-boot-starter-data-search-jpa (=1.3.0), be.personify.iam:personify-api (>=1.3.2.RELEASE <=1.4.4.RELEASE) +42 more potentially affected by CVE-2022-31679 via org.springframework.data:spring-data-rest-core (>=3.6.0 <=3.6.6)

org.springframework.data:spring-data-rest-core MAVEN version =3.6.0, =1.3.2.RELEASE, =1.3.1.RELEASE, =1.3.1.RELEASE, =1.2.6.RELEASE, =0.3.0, =0.3.0, =0.3.0, =1.2.7, =1.2.7, =1.2.7, =3.0.0, =3.0.0, =3.0.0, =3.0.2 and more Source cves: CVE-2022-31679 Source advisory: OSV:GHSA-FV7X-V67W-CVQV...

ai.apiverse:apipulse (=1.0.1), com.contentgrid.spring:contentgrid-spring-boot-starter (>=0.4.2 <=0.6.1) +53 more potentially affected by CVE-2022-31679 via org.springframework.data:spring-data-rest-core (>=3.7.0 <=3.7.2)

org.springframework.data:spring-data-rest-core MAVEN version =3.7.0, =0.4.2, =0.4.2, =0.4.2, =5.12.1, =2.4.0, =2.4.0, =2.4.0, =3.0.3, =3.0.3, =3.0.3, =3.0.3, =3.0.3, =3.0.3, =3.1.0 - com.okta.spring.examples:okta-spring-boot-hosted-code-flow-example =2.1.6 and more Source cves: CVE-2022-31679...

Spring Data REST can expose hidden entity attributes

Applications that allow HTTP PATCH access to resources exposed by Spring Data REST in versions 3.6.0 - 3.6.6, 3.7.0 - 3.7.2, and older unsupported versions, if an attacker knows about the structure of the underlying domain model, they can craft HTTP requests that expose hidden entity attributes...

GHSA-FV7X-V67W-CVQV Spring Data REST can expose hidden entity attributes

Applications that allow HTTP PATCH access to resources exposed by Spring Data REST in versions 3.6.0 - 3.6.6, 3.7.0 - 3.7.2, and older unsupported versions, if an attacker knows about the structure of the underlying domain model, they can craft HTTP requests that expose hidden entity attributes...

CVE-2022-31679

Applications that allow HTTP PATCH access to resources exposed by Spring Data REST in versions 3.6.0 - 3.5.5, 3.7.0 - 3.7.2, and older unsupported versions, if an attacker knows about the structure of the underlying domain model, they can craft HTTP requests that expose hidden entity attributes...

CVE-2022-31679

Applications that allow HTTP PATCH access to resources exposed by Spring Data REST in versions 3.6.0 - 3.5.5, 3.7.0 - 3.7.2, and older unsupported versions, if an attacker knows about the structure of the underlying domain model, they can craft HTTP requests that expose hidden entity attributes...

Code injection

Applications that allow HTTP PATCH access to resources exposed by Spring Data REST in versions 3.6.0 - 3.5.5, 3.7.0 - 3.7.2, and older unsupported versions, if an attacker knows about the structure of the underlying domain model, they can craft HTTP requests that expose hidden entity attributes...

CVE-2022-31679

Applications that allow HTTP PATCH access to resources exposed by Spring Data REST in versions 3.6.0 - 3.5.5, 3.7.0 - 3.7.2, and older unsupported versions, if an attacker knows about the structure of the underlying domain model, they can craft HTTP requests that expose hidden entity attributes...

CVE-2022-31679

Applications that allow HTTP PATCH access to resources exposed by Spring Data REST in versions 3.6.0 - 3.5.5, 3.7.0 - 3.7.2, and older unsupported versions, if an attacker knows about the structure of the underlying domain model, they can craft HTTP requests that expose hidden entity attributes...

CVE-2022-31679

CVE-2022-31679 affects VMware Spring Data REST. The issue allows an attacker who knows the domain model to craft HTTP PATCH requests that expose hidden entity attributes. Affected versions include Spring Data REST 3.5.5 and older, 3.6.0–3.6.6, and 3.7.0–3.7.2. The central root cause is improper h...

VMware Spring Data REST 安全漏洞

VMware Spring Data REST is a data interface from VMware, Inc. It is used to build on top of the Spring Data repository, analyze an application's domain model, and expose hypermedia-driven HTTP resources for aggregations contained in the model. A security vulnerability exists in VMware Spring Data...

PT-2022-20886 · Spring · Spring Data Rest

Name of the Vulnerable Software and Affected Versions: Spring Data REST versions 3.5.5 and earlier Spring Data REST versions 3.6.0 through 3.6.6 Spring Data REST versions 3.7.0 through 3.7.2 Description: The issue allows attackers to expose hidden entity attributes by crafting HTTP requests, if...

Spring Data REST Vulnerability (CVE-2022-31679)

Updates - 09-19 Vulnerability announced here and Spring Data REST 3.6.7 and 3.7.3 released - 09-19 Blog post updated to refer to the CVE report published The Spring Data 2021.1.7 and 2021.2.3 releases shipped on September 19th contained releases for Spring Data REST 3.6.7 and 3.7.3 which include...

This Week in Spring - September 5th, 2022

Hi, Spring fans! How are you? Its a fantastic Tuesday, the 5th of September, 2022, and I couldnt be happier. Its also Labor Day weekend here in the US. It marks the unofficial end of summer, which is a bit sad. But, on the upside, its a four-day weekend for me! Im technically off today. So, youll...