Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a directory traversal in Spring Framework [CVE-2024-38819]

Summary IBM Watson Speech Services Cartridge is vulnerable to a directory traversal in Spring Framework, caused by improper validation of user request by the functional web frameworks WebMvc.fn or WebFlux.fn CVE-2024-38819. Spring Framework is used by our Speech Microservices. This vulnerabilitiy...

Security Bulletin: Vulnerabilities in VMware Tanzu Spring Framework affect watsonx.data

Summary VMware Tanzu Spring Framework is vulnerable to a denial of service attacks and this could affect watsonx.data. Vulnerability Details CVEID:CVE-2022-22950 DESCRIPTION: VMware Tanzu Spring Framework is vulnerable to a denial of service, caused by improper input validation. By sending a...

Security Bulletin: Vulnerability in Pivota Spring Framework affects watsonx.data

Summary Pivota Spring Framework could allow a remote attacker to execute arbitrary code on the system. This could affect watsonx.data. Vulnerability Details CVEID:CVE-2016-1000027 DESCRIPTION: Pivota Spring Framework could allow a remote attacker to execute arbitrary code on the system, caused by...

Security Bulletin: Multiple vulnerabilities in spring packaged with CMIS affect IBM Business Automation Workflow - CVE-2024-22262, CVE-2024-38809

Summary IBM Business Automation Workflow is vulnerable repackages a FileNet Content Manager's CMIS interface, which in turn repackages parts of a version of the Spring framework. Vulnerabilities have been reported for spring. Vulnerability Details CVEID:CVE-2024-22262 DESCRIPTION: VMware Tanzu...

Security Bulletin: spring-web-5.3.30.jar may affect SPSS Collaboration and Deployment Services (CVE-2024-22259)

Summary spring-web-5.3.30.jar may affect SPSS Collaboration and Deployment Services CVE-2024-22259 Vulnerability Details CVEID:CVE-2024-22262 DESCRIPTION: VMware Tanzu Spring Framework could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability in...

This Week in Spring - February 4th, 2025

Hi, Spring fans! Welcome to another installment of This Week in Spring! It's February 4th, 2025, as I write this. We are ten days away from Valentine's day, and about a month away from Devnexus. Lots to look forward to, in both the short term and the long term! Let's dive right into this week's...

Security Bulletin: Due to the use of VMWare Tanzu Spring Framework, IBM DevOps Build is vulnerable to remote attacker to conduct phising attacks

Summary IBM DevOps Build 7.0.0.2 addresses CVE-2024-22259 by updating spring-web jar.. Vulnerability Details CVEID:CVE-2024-22259 DESCRIPTION: Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL e.g. through a query parameter AND perform validation...

Security Bulletin: Vulnerability in VMware Tanzu Spring Framework affects watsonx.data

Summary VMware Tanzu Spring Framework is vulnerable to a denial of service attack, which could affect watsonx.data. Vulnerability Details CVEID:CVE-2024-38809 DESCRIPTION: VMware Tanzu Spring Framework is vulnerable to a denial of service, caused by improper input validation. By sending a special...

Security Bulletin: Vulnerability in VMware Tanzu Spring Framework affects watsonx.data

Summary VMware Tanzu Spring Framework is vulnerable to a denial of service attack and this could affect watsonx.data. Vulnerability Details CVEID:CVE-2024-38808 DESCRIPTION: VMware Tanzu Spring Framework is vulnerable to a denial of service, caused by improper input validation. By sending a...

Security Bulletin: IBM Maximo Application Suite - AI Broker Component component uses spring-webflux-6.1.13.jar which is vulnerable to this CVE-2024-38819

Summary Security Bulletin: IBM Maximo Application Suite - AI Broker Component component uses spring-webflux-6.1.13.jar which is vulnerable to this CVE-2024-38819. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2024-38819 DESCRIPTION...

Security Bulletin: Vulnerability in Spring Framework affects IBM Tivoli Application Dependency Discovery Manager (CVE-2024-38808,CVE-2024-38809).

Summary Vulnerability in Spring Framework affects IBM Tivoli Application Dependency Discovery Manager CVE-2024-38808,CVE-2024-38809. IBM has addressed the vulnerabilities. Vulnerability Details CVEID:CVE-2024-38809 DESCRIPTION: VMware Tanzu Spring Framework is vulnerable to a denial of service,...

Security Bulletin: IBM InfoSphere Information Server is affected by a vulnerability in VMware Tanzu Spring Framework (CVE-2024-38808)

Summary A vulnerability in VMware Tanzu Spring Framework that is used by InfoSphere Information Server was addressed. Vulnerability Details CVEID:CVE-2024-38808 DESCRIPTION: VMware Tanzu Spring Framework is vulnerable to a denial of service, caused by improper input validation. By sending a...

Spring Framework 5.3.x < 5.3.40 / 6.0.x < 6.0.24 / 6.1.x < 6.1.13 Path Traversal

Spring Framework versions 5.3.x prior to 5.3.40, 6.0.x prior to 6.0.24 and 6.1.x prior to 6.1.13 are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is...

This Week in Spring - January 28th, 2025

Hi, Spring fans! Welcome to another rip-roarin' and exciting installment of This Week in Spring , wherein we look at the amazing week that was in the Spring community. And what a week it's been! In addition to tons of cool tooling and AI related stuff, this week saw the release of the first steps...

Oracle Identity Manager (January 2025 CPU)

The 12.2.1.4.0 versions of Identity Manager installed on the remote host are affected by multiple vulnerabilities as referenced in the January 2025 CPU advisory. - Vulnerability in the Oracle Identity Manager product of Oracle Fusion Middleware component: Installer Spring Framework. The supported...

Exploit for CVE-2024-38821

CVE-2024-38821: Proof of Concept PoC: Authentication Bypass...

Hello DCO, Goodbye CLA: Simplifying Contributions to Spring

The Spring team will be rolling out a simplified contribution process that replaces the requirement to sign a Contributor License Agreement CLA with a Developer Certificate of Origin DCO. The process will start this week with Spring Framework, Spring Security, & Spring Boot and then roll out to t...

A Bootiful Podcast: Intact's Luke Shannon

Hi, Spring fans! and happy holidays! in this installment I talk to Intact's Luke Shannon about their use of Spring, developer portals, and so much more...

GHSA-G5VR-RGQM-VF78 Spring Framework Path Traversal vulnerability

Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application...

Spring Framework Path Traversal vulnerability

Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application...