com.almis.awe:awe-annotation (>=4.10.11 <=4.11.2), com.almis.awe:awe-annotations-spring-boot-starter (>=4.10.11 <=4.11.2) +152 more potentially affected by CVE-2025-22228 +1 more via org.springframework.security:spring-security-crypto (=6.3.8)

org.springframework.security:spring-security-crypto MAVEN version =6.3.8 is affected by a known vulnerability. The following packages have a transitive dependency on org.springframework.security:spring-security-crypto and may be impacted: - com.almis.awe:awe-annotation =4.10.11, =4.10.11, =4.10.1...

PT-2025-33358

Name of the Vulnerable Software and Affected Versions: Spring Framework MVC applications affected versions not specified Description: Spring Framework MVC applications can be vulnerable to a “Path Traversal Vulnerability” when deployed on a non-compliant Servlet container. This issue occurs when...

Security Bulletin: IBM Observability with Instana for Synthetic PoP is affected by Multiple Security Vulnerabilities

Summary Multiple vulnerabilities were addressed in IBM Observability with Instana for Synthetic PoP build 286 Vulnerability Details CVEID:CVE-2023-37920 DESCRIPTION: An unspecified error with the removal of e-Tugra root certificate in Certifi has an unknown impact and attack vector. CWE:CWE-345:...

Security Bulletin: Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for September and October 2024.

Summary Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation 21.0.3-IF037 and 24.0.0-IF003. Vulnerability Details CVEID:CVE-2024-39249 DESCRIPTION: Async is vulnerable to a denial of service, caused by the ReDoS Regular Expression Denial of Service while...

Exploit for CVE-2024-38819

This is a proof-of-concept PoC exploit for CVE-2024-38819, a high-risk path traversal vulnerability in the Spring Framework. The vulnerability allows an attacker to access sensitive files on the server by constructing a malicious HTTP request with a specially crafted path. The PoC code is a simpl...

Security Bulletin: Multiple vulnerabilities exists in Spring and Xstream affect IBM Tivoli Network Configuration Manager

Summary Multiple vulnerabilities exists in Spring and Xstream affect IBM Tivoli Network Configuration Manager ITNCM IP Edition v6.4.2. Vulnerability Details CVEID:CVE-2024-38819 DESCRIPTION: Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are...

Security Bulletin: IBM InfoSphere Information Server is affected by multiple vulnerabilities in VMware Tanzu Spring Framework

Summary Multiple vulnerabilities in VMware Tanzu Spring Framework that is used by InfoSphere Information Server were addressed. Vulnerability Details CVEID:CVE-2024-38820 DESCRIPTION: VMware Tanzu Spring Framework could provide weaker than expected security, caused by a flaw related to...

Security Bulletin: IBM i Modernization Engine for Lifecycle Integration is vulnerable to multiple vulnerabilities

Summary There are multiple vulnerabilities in components of IBM i Modernization Engine for Lifecycle Integration as described in the Vulnerability Details section. Google Guava and Apache James MIME4J could allow a local authenticated attacker to obtain sensitive information. Pivota Spring...

This Week in Spring - March 25th, 2025

Hi, Spring fans! Welcome to another installment of This Week in Spring! This week, I’m in Portland, OR, then I'm off to Austin, TX for the Arc of AI show, and then I'm off to Amsterdam for Voxxed Days Amsterdam! If you're around, be sure to say hi! There's a ton of cool stuff to look at, so witho...

This Week in Spring – March 18th, 2025

Hi, Spring fans! I just got back from the amazing JavaOne show held in Redwood Shores. It was a fun, uproarious event and a great chance to reconnect with tons of friends, old and new. I love this community! One of the central highlights of this show? Java 24 is here, finally! And, as usual, we'v...

Path Traversal (Arbitrary Read/Write) org.springframework:spring-webmvc Dependency in Jira Service Management Data Center and Server

This High severity org.springframework:spring-webmvc Dependency vulnerability was introduced in versions 5.12.0 Jira Service Management Data Center and Server. This org.springframework:spring-webmvc Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

This Week in Sprng - March 11th, 2025

Hi, Spring fans! Welcome to another installment of This Week in Spring! It's a busy week as always, fresh off the rush that was Devnexus and busily preparing for the fun that is JavaOne! It's going to be epic! want to learn about dependency injection, auto-configuration, Spring Framework, Spring...

Null Safety in Spring applications with JSpecify and NullAway

The initial introduction of the null safety support in Spring dates back to 2017 and the release of Spring Framework 5.0. In 2025, we are evolving that story to bring more added value for Spring developers, either in Java or Kotlin. But before having a deeper look to the changes we are working on...

Exploit for CVE-2024-38819

CVE-2024-38819: Proof of Concept PoC This is a proof of concept for the CVE-2024-38819 vulnerability, which I reported, demonstrating a path traversal exploit. Execution Steps 1. Build the Docker image Spring Boot 3.3.4, based on Spring Framework 6.1.13 cd vuln docker build -t cve-2024-38819-poc...

Linux Distros Unpatched Vulnerability : CVE-2024-38808

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In Spring Framework versions 5.3.0 - 5.3.38 and older unsupported versions, it is possible for a user to provide a specially crafted Spring Expression Language...

Linux Distros Unpatched Vulnerability : CVE-2014-0225

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - When processing user provided XML documents, the Spring Framework 4.0.0 to 4.0.4, 3.0.0 to 3.2.8, and possibly earlier unsupported versions did not disable by...

Linux Distros Unpatched Vulnerability : CVE-2013-6429

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which...

Security Bulletin: Vulnerability in Spring Framework affects IBM SPSS Collaboration and Deployment Services (CVE-2023-20863)

Summary Vulnerability in Spring Framework affects IBM SPSS Collaboration and Deployment Services CVE-2023-20863 Vulnerability Details CVEID:CVE-2023-20863 DESCRIPTION: In spring framework versions prior to 5.2.24 release+ ,5.3.27+ and 6.0.8+ , it is possible for a user to provide a specially...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a denial of service in Spring Framework [CVE-2024-38809]

Summary IBM Watson Speech Services Cartridge is vulnerable to a denial of service in Spring Framework, caused by improper input validation CVE-2024-38809. Spring Framework is used by our Speech Microservices. This vulnerabilitiy has been addressed. Please read the details for remediation below...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a security weakness in Spring Framework [CVE-2024-38820]

Summary IBM Watson Speech Services Cartridge is vulnerable to a security weakness in Spring Framework, caused by a flaw related to disallowedFields patterns in DataBinder is case insensitive CVE-2024-38820. Spring Framework is used by our Speech Microservices. This vulnerabilitiy has been...