Linux Distros Unpatched Vulnerability : CVE-2023-20860

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Spring Framework running version 6.0.0 - 6.0.6 or 5.3.0 - 5.3.25 using as a pattern in Spring Security configuration with the mvcRequestMatcher creates a mismat...

Linux Distros Unpatched Vulnerability : CVE-2025-41234

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Description In Spring Framework, versions 6.0.x as of 6.0.5, versions 6.1.x and 6.2.x, an application is vulnerable to a reflected file download RFD attack when...

Linux Distros Unpatched Vulnerability : CVE-2020-5421

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks...

A Bootiful Podcast: Architecture sage and Spring Modulith lead Oliver Drotbohm

Hi, Spring fans! In this installment I caught up with architecture guru and Spring Modulith founder and lead Oliver Drotbohm and we looked at some of the amazing possibilities in Spring Modulith 2.0, coming after Spring Framework 7.0 and Spring Boot 4.0 drop later this year!...

Relative Path Traversal

Overview org.springframework:spring-beans is a package that is the basis for Spring Framework's IoC container. The BeanFactory interface provides an advanced configuration mechanism capable of managing any type of object. Affected versions of this package are vulnerable to Relative Path Traversal...

Security Bulletin: Denial of Service vulnerability affect IBM Business Automation Workflow embedded Navigator - CVE-2024-38808

Summary IBM Business Automation Workflow embedded Navigator repackages a vulnerable copy of Spring. Vulnerability Details CVEID:CVE-2024-38808 DESCRIPTION: In Spring Framework versions 5.3.0 - 5.3.38 and older unsupported versions, it is possible for a user to provide a specially crafted Spring...

This Week in Spring - August 5th, 2025

Hi, Spring fans! Welcome to another installment of This Week in Spring! It's August 5th! Which means we're only 20 days away until SpringOne 2025! Have you registered? There's so much to cover this week, so let's dive right into it! Spring Shell 3.4.1 is out! - the new release includes a number o...

Security Bulletin: Multiple Vulnerabilities in IBM CloudPak for AIOps

Summary Multiple vulnerabilities were addressed in IBM Cloud Pak for AIOps version 4.10.1 Vulnerability Details CVEID:CVE-2025-22233 DESCRIPTION: CVE-2024-38820 ensured Locale-independent, lowercase conversion for both the configured disallowedFields patterns and for request parameter names...

This Week in Spring - July 22nd, 2025

Hi, Spring fans! It's almost SpringOne time!! AAAAH it's all moving so quickly! I can hardly stand it. SpringOne's next month, in lovely Las Vegas, and I'll be there. Will you? Have you registered? We'll be looking at the impending Spring Boot 4.0 and Spring Framework 7.0 releases! It's going to ...

Security Bulletin: IBM Maximo Application Suite Ai-Service Component uses an application is vulnerable to a reflected file download (RFD) attack.

Summary Security Bulletin: IBM Maximo Application Suite Ai-Service Component uses an application is vulnerable to a reflected file download RFD attack.The filename is derived from user-supplied input but sanitized by the application. Vulnerability Details CVEID:CVE-2025-41234 DESCRIPTION:...

Security Bulletin: IBM watsonx Orchestrate Cartridge affected by vulnerability in spring-expression-5.3.24.jar

Summary IBM watsonx Orchestrate Cartridge contains a vulnerable version of spring-expression-5.3.24.jar Vulnerability Details CVEID:CVE-2023-20861 DESCRIPTION: In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possibl...

Spring Framework 6.0.5 < 6.0.29 / 6.1.x < 6.1.21 / 6.2.x < 6.2.8 Reflected File Download (CVE-2025-41234)

The version of Spring Framework installed on the remote host is 6.0.5 prior to 6.0.29, 6.1.x prior to 6.1.21, or 6.2.x prior to 6.2.8. It is, therefore, affected by a reflected file download vulnerability: - In Spring Framework, versions 6.0.x as of 6.0.5, versions 6.1.x and 6.2.x, an application...

This Week in Spring - June 24th, 2025

Hi, Spring fans! Welcome to another installment of This Week in Spring! We're in the middle of June already! And you know what that means? Warm weather, fun, and of course: the amazing SpringOne event in lovely Las Vegas, NV! The content catalog went live today! I'll be there doing, among other...

Security Bulletin: IBM i Modernization Engine for Lifecycle Integration is affected by multiple vulnerabilities

Summary There are multiple vulnerabilities in components of IBM i Modernization Engine for Lifecycle Integration as described in the Vulnerability Details section. HTTP Proxy bypass using IPv6 Zone IDs can improperly treat an IPv6 zone ID as a hostname component CVE-2025-22870. Spring Framework...

Mass Assignment Attack

org.springframework, spring-context is vulnerable to Mass Assignment Attack. The vulnerability is due to incomplete enforcement of the disallowedFields mechanism, which allows certain request parameters to bypass intended binding restrictions even after applying locale-independent lowercase...

Security Bulletin: Vulnerabilities in old Spring Framework versions affect watsonx.data

Summary In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of...

Security Bulletin: Vulnerabilities in old Spring Framework versions, made disallowedFields patterns in DataBinder case insensitive, affect watsonx.data

Summary In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of...

GHSA-6R3C-XF4W-JXJM Spring Framework vulnerable to a reflected file download (RFD)

Description In Spring Framework, versions 6.0.x as of 6.0.5, versions 6.1.x and 6.2.x, an application is vulnerable to a reflected file download RFD attack when it sets a “Content-Disposition” header with a non-ASCII charset, where the filename attribute is derived from user-supplied input...

Spring Framework vulnerable to a reflected file download (RFD)

Description In Spring Framework, versions 6.0.x as of 6.0.5, versions 6.1.x and 6.2.x, an application is vulnerable to a reflected file download RFD attack when it sets a “Content-Disposition” header with a non-ASCII charset, where the filename attribute is derived from user-supplied input...

VMware Spring Framework 6.0.5 - 6.0.28, 6.1.0 - 6.1.20, 6.2.0 - 6.2.7 RFD Vulnerability - Linux

The VMware Spring Framework is prone to a reflected file download RFD vulnerability. SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE =...