183 matches found
PT-2023-7931 · Spring · Spring Boot
Name of the Vulnerable Software and Affected Versions: Spring Boot versions 2.7.0 through 2.7.17 Spring Boot versions 3.0.0 through 3.0.12 Spring Boot versions 3.1.0 through 3.1.5 Description: The issue is related to the Spring Boot framework, where an application can be vulnerable to a...
Runtime efficiency with Spring (today and tomorrow)
With Spring Framework 6.1 and Spring Boot 3.2 general availability approaching, we would like to share an overview about several efforts the Spring team is pursuing to allow developers to optimize the runtime efficiency of their applications. We are going to cover the following technologies and u...
Amazon Linux 2 : tomcat (ALASTOMCAT8.5-2023-005)
The version of tomcat installed on the remote host is prior to 8.5.79-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2TOMCAT8.5-2023-005 advisory. A flaw was found in Spring Framework, specifically within two modules called Spring MVC and Spring WebFlux,...
Amazon Linux 2 : tomcat (ALASTOMCAT9-2023-004)
The version of tomcat installed on the remote host is prior to 9.0.65-1. It is, therefore, affected by a vulnerability as referenced in the ALAS2TOMCAT9-2023-004 advisory. A flaw was found in Spring Framework, specifically within two modules called Spring MVC and Spring WebFlux, transitively...
Important: tomcat
Issue Overview: A flaw was found in Spring Framework, specifically within two modules called Spring MVC and Spring WebFlux, transitively affected from Spring Beans, using parameter data binding. This flaw allows an attacker to pass specially-constructed malicious requests to certain parameters an...
Important: tomcat
Issue Overview: A flaw was found in Spring Framework, specifically within two modules called Spring MVC and Spring WebFlux, transitively affected from Spring Beans, using parameter data binding. This flaw allows an attacker to pass specially-constructed malicious requests to certain parameters an...
spring-boot: Spring Boot Welcome Page DoS Vulnerability
A flaw was found in Spring Boot, occurring prominently in Spring MVC with a reverse proxy cache. This issue requires Spring MVC to have auto-configuration enabled and the application to use Spring Boot's welcome page support, either static or templated, resulting in the application being deployed...
Exploit for SQL Injection in Apache Log4J
CVE-2022-23305 Log4j JDBCAppender sql injection POC This is a...
Authorization Rule Misconfiguration
spring-security-config is vulnerable to Authorization Rule Misconfiguration. The vulnerability exists due to the lack of validation in the RequestMatcher of AbstractRequestMatcherRegistry.java when the application uses the requestMatchersString function with multiple servlets, one of them being...
Spring Security's authorization rules can be misconfigured when using multiple servlets
Spring Security versions 5.8 prior to 5.8.5, 6.0 prior to 6.0.5, and 6.1 prior to 6.1.2 could be susceptible to authorization rule misconfiguration if the application uses requestMatchersString and multiple servlets, one of them being Spring MVC’s DispatcherServlet. DispatcherServlet is a Spring...
CVE-2023-34035
Spring Security versions 5.8 prior to 5.8.5, 6.0 prior to 6.0.5, and 6.1 prior to 6.1.2 could be susceptible to authorization rule misconfiguration if the application uses requestMatchersString and multiple servlets, one of them being Spring MVC’s DispatcherServlet. DispatcherServlet is a Spring...
CVE-2023-34035
Spring Security versions 5.8 prior to 5.8.5, 6.0 prior to 6.0.5, and 6.1 prior to 6.1.2 could be susceptible to authorization rule misconfiguration if the application uses requestMatchersString and multiple servlets, one of them being Spring MVC’s DispatcherServlet. DispatcherServlet is a Spring...
CVE-2023-34035
Spring Security versions 5.8 prior to 5.8.5, 6.0 prior to 6.0.5, and 6.1 prior to 6.1.2 could be susceptible to authorization rule misconfiguration if the application uses requestMatchersString and multiple servlets, one of them being Spring MVC’s DispatcherServlet. DispatcherServlet is a Spring...
spring-boot: Spring Boot Welcome Page DoS Vulnerability
A flaw was found in Spring Boot, occurring prominently in Spring MVC with a reverse proxy cache. This issue requires Spring MVC to have auto-configuration enabled and the application to use Spring Boot's welcome page support, either static or templated, resulting in the application being deployed...
Denial Of Service (DoS)
spring-boot-autoconfigure is vulnerable to Denial Of Service DoS. The vulnerability is applicable when the application has Spring MVC auto-configuration enabled and uses the Spring Boot welcome page, which can be either static or templated, and the application is deployed behind a proxy which...
GHSA-XF96-W227-R7C4 Spring Boot Welcome Page Denial of Service
In Spring Boot versions 3.0.0 - 3.0.6, 2.7.0 - 2.7.11, 2.6.0 - 2.6.14, 2.5.0 - 2.5.14 and older unsupported versions, there is potential for a denial-of-service DoS attack if Spring MVC is used together with a reverse proxy cache. Specifically, an application is vulnerable if all of the condition...
CVE-2023-20883
In Spring Boot versions 3.0.0 - 3.0.6, 2.7.0 - 2.7.11, 2.6.0 - 2.6.14, 2.5.0 - 2.5.14 and older unsupported versions, there is potential for a denial-of-service DoS attack if Spring MVC is used together with a reverse proxy cache...
CVE-2023-20883
In Spring Boot versions 3.0.0 - 3.0.6, 2.7.0 - 2.7.11, 2.6.0 - 2.6.14, 2.5.0 - 2.5.14 and older unsupported versions, there is potential for a denial-of-service DoS attack if Spring MVC is used together with a reverse proxy cache...
CVE-2023-20883
In Spring Boot versions 3.0.0 - 3.0.6, 2.7.0 - 2.7.11, 2.6.0 - 2.6.14, 2.5.0 - 2.5.14 and older unsupported versions, there is potential for a denial-of-service DoS attack if Spring MVC is used together with a reverse proxy cache...
CVE-2023-20883
In Spring Boot versions 3.0.0 - 3.0.6, 2.7.0 - 2.7.11, 2.6.0 - 2.6.14, 2.5.0 - 2.5.14 and older unsupported versions, there is potential for a denial-of-service DoS attack if Spring MVC is used together with a reverse proxy cache...