85 matches found
GHSA-VW83-H3MQ-3QWJ Path Traversal in Spring-integration-zip
Addresses partial fix in CVE-2018-1263. Spring-integration-zip, versions prior to 1.0.4, exposes an arbitrary file write vulnerability, that can be achieved using a specially crafted zip archive affects other archives as well, bzip2, tar, xz, war, cpio, 7z, that holds path traversal filenames. So...
Exploit for Improper Authentication in Apache Shiro
Apache Shiro 两种姿势绕过认证分析(CVE-2020-17523) 0x01 漏洞描述 Apache Shiro是一个强大且易用的Java安全框架,执行身份验证、授权、密码和会话管理。使用Shiro的易于理解的API,您可以快速、轻松地获得任何应用程序,从最小的移动应用程序到最大的网络和企业应用程序。 当它和 Spring 结合使用时,在一定权限匹配规则下,攻击者可通过构造特殊的 HTTP 请求包完成身份认证绕过。 影响范围:Apache Shiro / | | 双反斜杠处理成反斜杠 | // - / | | 以/.或者/..结尾,则在结尾添加/ | /. - /./ /.....
Arbitrary File Rewrite
spring-integration-zip is vulnerable to an arbitrary file rewrite aka a zip slip vulnerability. An incomplete fix of CVE-2018-1263 allows an attacker to send a malicious zip archive bzip2, tar, xz, war, cpio, 7z with path traversal filenames, leading to writing of files outside of the target...
CVE-2021-22114
Addresses partial fix in CVE-2018-1263. Spring-integration-zip, versions prior to 1.0.4, exposes an arbitrary file write vulnerability, that can be achieved using a specially crafted zip archive affects other archives as well, bzip2, tar, xz, war, cpio, 7z, that holds path traversal filenames. So...
CVE-2021-22114
Addresses partial fix in CVE-2018-1263. Spring-integration-zip, versions prior to 1.0.4, exposes an arbitrary file write vulnerability, that can be achieved using a specially crafted zip archive affects other archives as well, bzip2, tar, xz, war, cpio, 7z, that holds path traversal filenames. So...
Path traversal
Addresses partial fix in CVE-2018-1263. Spring-integration-zip, versions prior to 1.0.4, exposes an arbitrary file write vulnerability, that can be achieved using a specially crafted zip archive affects other archives as well, bzip2, tar, xz, war, cpio, 7z, that holds path traversal filenames. So...
CVE-2021-22114
Addresses partial fix in CVE-2018-1263. Spring-integration-zip, versions prior to 1.0.4, exposes an arbitrary file write vulnerability, that can be achieved using a specially crafted zip archive affects other archives as well, bzip2, tar, xz, war, cpio, 7z, that holds path traversal filenames. So...
CVE-2021-22114
CVE-2021-22114 concerns a path-traversal vulnerability in Spring Integration Zip handling. Connected sources indicate that Spring-integration-zip versions prior to 1.0.4 expose an arbitrary file write vulnerability via specially crafted zip archives (also affecting other archive formats like tar,...
Spring-integration-zip 路径遍历漏洞
Spring Spring-integration-zip is Spring an open source application . Provides compression and decompression functionality A path traversal vulnerability exists in Spring-integration-zip versions prior to 1.0.4, which stems from an arbitrary file write vulnerability...
CVE-2020-17510
Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass...
Pivotal Software Spring Integration Code Issue Vulnerability
Pivotal Software Spring Integration is an enterprise integration pattern from Pivotal Software, USA. The product is designed to enable lightweight messaging in Spring-based applications and supports integration with tail systems via declarative adapters. A code issue vulnerability exists in Pivot...
cn.strongculture:prometheus-spring-boot-starter (=1.0.0), com.buession.springcloud.stream:buession-springcloud-stream-core (>=2.2.1 <=2.3.3) +105 more potentially affected by CVE-2020-5413 via org.springframework.integration:spring-integration-core (>=5.3.0.RELEASE <=5.3.1.RELEASE)
org.springframework.integration:spring-integration-core MAVEN version =5.3.0.RELEASE, =2.2.1, =2.2.1, =2.2.1, =2.2.1, =2.2.1, =2.2.1, =2.2.1, =2.2.1, =2.2.1, =2.2.1, =2.2.1, =2.2.1, =2.2.1, =2.3.3...
ai.hyacinth.framework:core-service-bus-support (=0.5.24), cc.cc4414:cc-spring-auth-server (=0.5.1) +406 more potentially affected by CVE-2020-5413 via org.springframework.integration:spring-integration-core (>=5.2.0.RELEASE <=5.2.7.RELEASE)
org.springframework.integration:spring-integration-core MAVEN version =5.2.0.RELEASE, =5.2.7.RELEASE is affected by a known vulnerability. The following packages have a transitive dependency on org.springframework.integration:spring-integration-core and may be impacted: -...
Code execution in Spring Integration
Spring Integration framework provides Kryo Codec implementations as an alternative for Java deserialization. When Kryo is configured with default options, all unregistered classes are resolved on demand. This leads to the "deserialization gadgets" exploit when provided data contains malicious cod...
GHSA-86QR-9VQC-PGC6 Code execution in Spring Integration
Spring Integration framework provides Kryo Codec implementations as an alternative for Java deserialization. When Kryo is configured with default options, all unregistered classes are resolved on demand. This leads to the "deserialization gadgets" exploit when provided data contains malicious cod...
com.alipay.sofa:tracer-sofa-boot-starter (>=3.1.0 <=3.1.2), com.pleosoft:pleosoft-spring-boot-starter (=1.0.5-RELEASE) +40 more potentially affected by CVE-2020-5413 via org.springframework.integration:spring-integration-core (>=5.1.0.RELEASE <=5.1.11.RELEASE)
org.springframework.integration:spring-integration-core MAVEN version =5.1.0.RELEASE, =3.1.0, =0.2.0.RELEASE, =2.23.0, =2.23.0, =2.1.0.RELEASE, =5.1.0.RELEASE, =5.1.0.RELEASE, =5.1.0.RELEASE, =5.1.0.RELEASE, =5.1.0.RELEASE, =5.1.0.RELEASE, =5.1.11.RELEASE - org.springframework.integration:spring...
br.jus.stf.digital:core (=0.1.0), cn.home1:spring-cloud-config-monitor (>=0.0.1 <=1.0.1.U1) +646 more potentially affected by CVE-2020-5413 via org.springframework.integration:spring-integration-core (>=4.3.0.RELEASE <=4.3.22.RELEASE)
org.springframework.integration:spring-integration-core MAVEN version =4.3.0.RELEASE, =0.0.1, =0.0.1, =A.1.0.0, =A.1.0.0, =A.1.1.0, =A.1.0.0, =A.1.1.0, =A.1.0.0, =A.1.0.0, =1.1.2-RELEASE, =1.1.2-RELEASE, =1.1.2-RELEASE, =1.1.2-RELEASE, =1.1.2-RELEASE, =1.1.12-RELEASE and more Source cves:...
CVE-2020-5413
Spring Integration framework provides Kryo Codec implementations as an alternative for Java deserialization. When Kryo is configured with default options, all unregistered classes are resolved on demand. This leads to the "deserialization gadgets" exploit when provided data contains malicious cod...
CVE-2020-5413
Spring Integration framework provides Kryo Codec implementations as an alternative for Java deserialization. When Kryo is configured with default options, all unregistered classes are resolved on demand. This leads to the "deserialization gadgets" exploit when provided data contains malicious cod...
Deserialization of untrusted data
Spring Integration framework provides Kryo Codec implementations as an alternative for Java deserialization. When Kryo is configured with default options, all unregistered classes are resolved on demand. This leads to the "deserialization gadgets" exploit when provided data contains malicious cod...