This Week in Spring - May 17th, 2022

Hi, Spring fans! Welcome to another installment of This Week in Spring! I am in beautiful Barcelona, Spain, this week, ahead of the upcoming Spring I/O show. I just spent a wonderful week in amazing England, meeting old friends, speaking at Devoxx UK, etc. A Bootiful Podcast: EasyMock contributor...

au.com.mountain-pass:hyperstate-client (>=1 <=10), au.com.mountain-pass:hyperstate-client-webdriver (>=1 <=10) +112 more potentially affected by CVE-2016-6652 via org.springframework.data:spring-data-jpa (>=1.10.0.RELEASE <=1.10.3.RELEASE)

org.springframework.data:spring-data-jpa MAVEN version =1.10.0.RELEASE, =1, =1, =1, =1, =1, =1.0.0, =1.6, =0.85, =0.85, =0.89.6 and more Source cves: CVE-2016-6652 Source advisory: OSV:GHSA-XR4V-28RM-PVGW...

Improper Neutralization of Special Elements used in an SQL Command Pivotal Spring Data JPA

SQL injection vulnerability in Pivotal Spring Data JPA before 1.9.6 Gosling SR6 and 1.10.x before 1.10.4 Hopper SR4, when used with a repository that defines a String query using the @Query annotation, allows attackers to execute arbitrary JPQL commands via a sort instance with a function call...

am.ik.home:uaa-server (>=1.0.0 <=1.9.0), at.researchstudio.sat:won-core (>=0.2 <=0.9) +1138 more potentially affected by CVE-2016-6652 via org.springframework.data:spring-data-jpa (>=1.0.1.RELEASE <=1.9.5.RELEASE)

org.springframework.data:spring-data-jpa MAVEN version =1.0.1.RELEASE, =1.0.0, =0.2, =0.3, =0.2, =0.2, =0.3, =0.3, =0.3, =0.3, =0.3, =0.2, =0.3, =0.3, =0.6 - at.researchstudio.sat:won-owner =0.3 - at.researchstudio.sat:won-owner-webapp =0.3 and more Source cves: CVE-2016-6652 Source advisory:...

GHSA-XR4V-28RM-PVGW Improper Neutralization of Special Elements used in an SQL Command Pivotal Spring Data JPA

SQL injection vulnerability in Pivotal Spring Data JPA before 1.9.6 Gosling SR6 and 1.10.x before 1.10.4 Hopper SR4, when used with a repository that defines a String query using the @Query annotation, allows attackers to execute arbitrary JPQL commands via a sort instance with a function call...

Remote code execution in PATCH requests in Spring Data REST

Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 Ingalls SR9, versions prior to 3.0.1 Kay SR1 can use specially crafted JSON data to run arbitrary Java code...

am.ik.home:uaa-server (>=1.0.0 <=1.9.0), br.com.intelipost:sdk-java (>=0.0.1 <=0.0.8) +89 more potentially affected by CVE-2017-8046 via org.springframework.data:spring-data-rest-core (>=1.0.0.RELEASE <=2.6.8.RELEASE)

org.springframework.data:spring-data-rest-core MAVEN version =1.0.0.RELEASE, =1.0.0, =0.0.1, =1.0.0, =1.0.0, =2.3.0-RELEASE, =0.0.6, =0.0.1, =0.0.1, =1.0.0, =1.0.1-SNAPSHOTS - com.github.zengfr.project:com.github.zengfr.project.common =0.0.1 - com.github.zengfr.project:com.github.zengfr.project.p...

GHSA-9QF9-28H9-HQCJ Remote code execution in PATCH requests in Spring Data REST

Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 Ingalls SR9, versions prior to 3.0.1 Kay SR1 can use specially crafted JSON data to run arbitrary Java code...

com.github.paulcwarren:content-rest-spring-boot-starter (>=0.5.0 <=0.6.0), com.github.paulcwarren:spring-content-rest (>=0.5.0 <=0.6.0) +8 more potentially affected by CVE-2017-8046 via org.springframework.data:spring-data-rest-core (>=3.0.0.RELEASE <=3.0.14.RELEASE)

org.springframework.data:spring-data-rest-core MAVEN version =3.0.0.RELEASE, =0.5.0, =0.5.0, =0.5.0, =0.0.1-RELEASE, =1.0.7, =2.0.5.RELEASE, =3.0.0.RELEASE, =3.0.0.RELEASE, =3.0.14.RELEASE Source cves: CVE-2017-8046 Source advisory: OSV:GHSA-9QF9-28H9-HQCJ...

Spring Data Commons < 1.13.11 / 2.x < 2.0.6 RCE

The version of Spring Data Commons installed on the remote host is affected by a remote code execution vulnerability. Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property binder vulnerability caused by improper neutralization of...

This Week in Spring - May 3rd, 2022

Hi, Spring fans! Welcome to another installment of This Week in Spring! How are you doin? Im excited! This week Im speaking at the ArabJUG, and Ill be speaking at Microsofts huuuge JDConf event. Both of these are virtual. Then, next Monday, Im on a plane bound for London, UK, where Ill be speakin...

Ever wanted to rewrite a query in Spring Data JPA?

Sometimes, no matter how many features you try to apply, it seems impossible to get Spring Data JPA to apply every thing youd like to a query before it is sent to the EntityManager. With 3.0.0-SNAPSHOT and targeted for the next milestone release train of Spring Data, you now have the ability to g...

This Week in Spring - April 19th, 2022

Hi, Spring fans! Welcome to another installment of This Week in Spring! Its been quite the week since we last talked! I flew to Atlanta, GA, for my first in-person show since the pandemic - Devnexus 2022. I loved the experience! Hopefully, the only souvenirs Ill have are the amazing memories and...

VMware Tanzu Spring Data Commons Property Binder Vulnerability

Spring Data Commons contains a property binder vulnerability which can allow an attacker to perform remote code execution...

CVE-2021-22047

In Spring Data REST versions 3.4.0 - 3.4.13, 3.5.0 - 3.5.5, and older unsupported versions, HTTP resources implemented by custom controllers using a configured base API path and a controller type-level request mapping are additionally exposed under URIs that can potentially be exposed for...

CVE-2021-22047

In Spring Data REST versions 3.4.0 - 3.4.13, 3.5.0 - 3.5.5, and older unsupported versions, HTTP resources implemented by custom controllers using a configured base API path and a controller type-level request mapping are additionally exposed under URIs that can potentially be exposed for...

Design/Logic Flaw

In Spring Data REST versions 3.4.0 - 3.4.13, 3.5.0 - 3.5.5, and older unsupported versions, HTTP resources implemented by custom controllers using a configured base API path and a controller type-level request mapping are additionally exposed under URIs that can potentially be exposed for...

CVE-2021-22047

In Spring Data REST versions 3.4.0 - 3.4.13, 3.5.0 - 3.5.5, and older unsupported versions, HTTP resources implemented by custom controllers using a configured base API path and a controller type-level request mapping are additionally exposed under URIs that can potentially be exposed for...

CVE-2021-22047

CVE-2021-22047 affects Spring Data REST: HTTP resources implemented by custom controllers using a configured base API path and a controller type-level request mapping are exposed under URIs that may be accessible without authorization, depending on Spring Security configuration.impact is describe...

VMware Spring Security 安全漏洞

VMware Spring Security is a set of security frameworks from VMware that provide illustrative security protections for Spring-based applications. A security vulnerability exists in Spring Data REST that stems from the additional disclosure of HTTP resources under the uri for custom controller...