From Spring Cloud Data Flow 2.11.x to 3.0

Dear Spring Community, With the recent announcement of Spring Framework 7.0 and Spring Boot 4.0, the Spring Cloud Data Flow team is pleased to announce the next major release, SCDF 3.0, to align with both Spring Framework 7.0 and Spring Boot 4.0. This will bring the following SCDF ecosystem of...

Security Bulletin: IBM Operational Decision Manager for Sep 2024 - Multiple CVEs addressed

Summary IBM Operational Decision Manager is vulnerable to multiple remote code execution and denial of service attacks in third party and open source used in the product for various functions. See full list below. The vulnerabilities have been addressed. Vulnerability Details CVEID:CVE-2024-38808...

Security Bulletin: IBM Sterling Control Center v6.2.1 and v6.3.1 is vulnerable and reported in [All] Spring Framework.

Summary Security Bulletin: Sterling Control Center v6.2.1 and v6.3.1 is vulnerable in All Spring Framework for CVE-2024-22233 Publicly disclosed vulnerability. Vulnerability Details CVEID:CVE-2024-22233 DESCRIPTION: VMware Tanzu Spring Framework is vulnerable to a denial of service, caused by a...

From Spring Framework 6.2 to 7.0

Dear Spring community, Spring Framework 6.2 is shaping up for general availability in November 2024, with particularly significant revisions in the core container and in our web support: see "What's New in Spring Framework 6.2". This release is designed for use with JDK 17-23 and Jakarta EE 9-10...

GHSA-2RMJ-MQ67-H97G Spring Framework DoS via conditional HTTP request

Description Applications that parse ETags from If-Match or If-None-Match request headers are vulnerable to DoS attack. Affected Spring Products and Versions org.springframework:spring-web in versions 6.1.0 through 6.1.11 6.0.0 through 6.0.22 5.3.0 through 5.3.37 Older, unsupported versions are al...

Spring Framework DoS via conditional HTTP request

Description Applications that parse ETags from If-Match or If-None-Match request headers are vulnerable to DoS attack. Affected Spring Products and Versions org.springframework:spring-web in versions 6.1.0 through 6.1.11 6.0.0 through 6.0.22 5.3.0 through 5.3.37 Older, unsupported versions are al...

VMware Spring Framework < 5.3.40, 6.0.x < 6.0.24, 6.1.x < 6.1.13 Path Traversal Vulnerability - Linux

The VMware Spring Framework is prone to a path traversal vulnerability. SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE =...

VMware Spring Framework < 5.3.40, 6.0.x < 6.0.24, 6.1.x < 6.1.13 Path Traversal Vulnerability - Windows

The VMware Spring Framework is prone to a path traversal vulnerability. SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE =...

The vulnerability of the functional web frameworks WebMvc.fn and WebFlux.fn of the Spring Framework arises from incorrect path name restrictions for restricted directories. This allows attackers to gain access to any file in the file system.

The vulnerability of the functional web frameworks WebMvc.fn and WebFlux.fn of the Spring Framework is related to an incorrect restriction on the path name to the restricted directory. Exploiting this vulnerability could allow a malicious actor, operating remotely, to gain access to any file in t...

Security Bulletin: Vulnerability in Spring Framework affects IBM watsonx.data

Summary Spring Framework running on Tomcat as a WAR deployment with JDK 9 or higher using spring-webmvc or spring-webflux could allow a remote attacker to execute arbitrary code on the system, caused by the improper handling of PropertyDescriptor objects used with data binding. This may affect IB...

Spring Framework < 5.3.40 / 6.0.x < 6.0.24 / 6.1.x < 6.1.13 Path Traversal (CVE-2024-38816)

The remote host contains a Spring Framework version is affected by a path traversal vulnerability. Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain...

This Week in Spring - September 17th, 2024

Hi, Spring fans! Last week I was in scintilliating Seoul, Korea, and then tantalizing Tokyo, Japan, and now I'm in marvelous Mumbai, India, at the airport, actually, headed to New Delhi, India. It's been a busy week for me and even busier a week for the community, so let's dive into it! Java 23 i...

GHSA-CX7F-G6MP-7HQM Path traversal vulnerability in functional web frameworks

Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application...

VMware Spring Framework 安全漏洞

VMware Spring Framework is a set of open source Java, JavaEE application frameworks from VMware. The framework helps developers build high-quality applications. A security vulnerability exists in VMware Spring Framework that stems from the presence of a directory traversal vulnerability that coul...

PT-2024-6332

Name of the Vulnerable Software and Affected Versions Spring Framework versions 5.3.0 through 5.3.39 Spring Framework versions 6.0.0 through 6.0.23 Spring Framework versions 6.0.24 through 6.1.12 Spring Framework versions 6.1.13 and earlier Description The vulnerability is related to path travers...

spring-expression: Denial of service when processing a specially crafted Spring Expression Language expression

A flaw was found in the Spring framework package. A maliciously crafted Spring Expression Language SePL may trigger uncontrolled CPU usage, leading to a denial of service in the application consuming it. To be considered vulnerable, one application has to evaluate user-supplied SpEL expressions...

Spring Boot CDS support and Project Leyden anticipation

How can Spring Boot developers improve the runtime efficiency of their applications with minimal constraints in order to enjoy those benefits on most applications? The answer is the CDS support introduced by Spring Boot 3.3 which allows you to start your Spring Boot applications faster and consum...

Spring Framework < 5.3.39 Spring Expression DoS (CVE-2024-38808)

The remote host contains a Spring Framework version prior to 5.3.39. It is, therefore, affected by a Spring expression DoS vulnerability: - In Spring Framework versions 5.3.0 - 5.3.38 and older unsupported versions, it is possible for a user to provide a specially crafted Spring Expression Langua...

Spring Framework < 5.3.39 / 6.0.x < 6.0.23 / 6.1.x < 6.1.12 HTTP Request DoS (CVE-2024-38809)

The remote host contains a Spring Framework version prior to 5.3.39, 6.0.x prior to 6.0.23, or 6.1.x prior to 6.1.12. It is, therefore, affected by an HTTP Request DoS vulnerability: - Applications that parse ETags from 'If-Match' or 'If-None-Match' request headers are vulnerable to DoS attack...

CVE-2024-38808

A flaw was found in the Spring framework package. A maliciously crafted Spring Expression Language SePL may trigger uncontrolled CPU usage, leading to a denial of service in the application consuming it. To be considered vulnerable, one application has to evaluate user-supplied SpEL expressions...