Security Bulletin: IBM watsonx Orchestrate Cartridge affected by vulnerability in spring-security-core-6.4.5.jar

Summary IBM watsonx Orchestrate Cartridge contains a vulnerable version of spring-security-core-6.4.5.jar Vulnerability Details CVEID:CVE-2025-41232 DESCRIPTION: Spring Security Aspects may not correctly locate method security annotations on private methods. This can cause an authorization bypass...

Linux Distros Unpatched Vulnerability : CVE-2018-1199

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Spring Security Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3...

Linux Distros Unpatched Vulnerability : CVE-2016-5007

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping...

Linux Distros Unpatched Vulnerability : CVE-2022-22976

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Spring Security versions 5.5.x prior to 5.5.7, 5.6.x prior to 5.6.4, and earlier unsupported versions contain an integer overflow vulnerability. When using the...

Linux Distros Unpatched Vulnerability : CVE-2022-22978

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In spring security versions prior to 5.4.11+, 5.5.7+ , 5.6.4+ and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on...

This Week in Spring - August 19th, 2025

Hi, Spring fans! Welcome to another extra special installment of This Week in Spring - special because the next installment will be delivered from the floors of the Ventian where the extraordinairily awesome SpringOne 2025 event will take place! So, some poetry: T’was the Week Before SpringOne...

Linux Distros Unpatched Vulnerability : CVE-2022-31692

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Spring Security, versions 5.7 prior to 5.7.5 and 5.6 prior to 5.6.9 could be susceptible to authorization rules bypass via forward or include dispatcher types...

Linux Distros Unpatched Vulnerability : CVE-2023-20860

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Spring Framework running version 6.0.0 - 6.0.6 or 5.3.0 - 5.3.25 using as a pattern in Spring Security configuration with the mvcRequestMatcher creates a mismat...

Linux Distros Unpatched Vulnerability : CVE-2025-22235

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - EndpointRequest.to creates a matcher for null/ if the actuator endpoint, for which the EndpointRequest has been created, is disabled or not exposed. Your...

Security Bulletin: Vulnerability with spring-security-crypto and jinja affect IBM Cloud Object Storage Systems (July 2025)

Summary Vulnerability with spring-security-crypto CVE-2025-22228 and jinja CVE-2025-27516 . This vulnerability has been addressed in the latest ClevOS release. Vulnerability Details CVEID:CVE-2025-22228 DESCRIPTION: BCryptPasswordEncoder.matchesCharSequence,String will incorrectly return true for...

A Bootiful Podcast: Spring Security lead Rob Winch on Spring Security 7.0, SpringOne 2025, and more

Hi, Spring fans! In this installment I'm joined by Spring Security lead Rob Winch to discuss the amazing new additions to Spring Security 7.0, coming in November of 2025, and the coverage you can expect when you see our talk at SpringOne 2025 have you registered - https://springone.io ?...

K000152799: Spring Security vulnerability CVE-2024-38810

Security Advisory Description Missing Authorization When Using @AuthorizeReturnObject in Spring Security 6.3.0 and 6.3.1 allows attacker to render security annotations inaffective. CVE-2024-38810 Impact There is no impact; F5 products are not affected by this vulnerability. Security Advisory Stat...

java-sec-code

This is an offensive tool for Java web applications. It is a collection of Java web common vulnerabilities and security code, based on Spring Boot and Spring Security. The repository contains various types of vulnerabilities, including actuators to RCE, command inject, CORS, CRLF injection, CSRF,...

Security Bulletin: Spring Security 6.4.0 - 6.4.3 may not correctly locate method security annotations. This may cause an authorization bypass, which affects IBM watsonx.data

Summary Spring Security 6.4.0 - 6.4.3 may not correctly locate method security annotations on parameterized types or methods. This may cause an authorization bypass. You are not affected if you are not using @EnableMethodSecurity, or you do not have method security annotations on parameterized...

This Week in Spring - July 22nd, 2025

Hi, Spring fans! It's almost SpringOne time!! AAAAH it's all moving so quickly! I can hardly stand it. SpringOne's next month, in lovely Las Vegas, and I'll be there. Will you? Have you registered? We'll be looking at the impending Spring Boot 4.0 and Spring Framework 7.0 releases! It's going to ...

Security Bulletin: IBM watsonx Orchestrate Cartridge affected by vulnerability in spring-security-core-5.8.5.jar

Summary IBM watsonx Orchestrate Cartridge contains a vulnerable version of spring-security-core-5.8.5.jar Vulnerability Details CVEID:CVE-2024-38827 DESCRIPTION: The usage of String.toLowerCase and String.toUpperCase has some Locale dependent exceptions that could potentially result in...

Security Bulletin: IBM watsonx Orchestrate Cartridge affected by vulnerability in spring-security-web-5.8.5.jar

Summary IBM watsonx Orchestrate Cartridge contains a vulnerable version of spring-security-web-5.8.5.jar Vulnerability Details CVEID:CVE-2024-38821 DESCRIPTION: Spring WebFlux applications that have Spring Security authorization rules on static resources can be bypassed under certain circumstance...

Security Bulletin: Security Vulnerability in Authorization Rules in Spring Security Affects IBM Sterling B2B Integrator and IBM Sterling File Gateway (CVE-2024-38827)

Summary IBM Sterling B2B Integrator and IBM Sterling File Gateway have addressed the security vulnerability in Spring Security Vulnerability Details CVEID:CVE-2024-38827 DESCRIPTION: The usage of String.toLowerCase and String.toUpperCase has some Locale dependent exceptions that could potentially...

spring-security-core: Spring Security BCryptPasswordEncoder does not enforce maximum password length

A flaw was found in the spring-security-core password encoder. This vulnerability allows incorrect password matching via input manipulation...

spring-security-core: Spring Security BCryptPasswordEncoder does not enforce maximum password length

A flaw was found in the spring-security-core password encoder. This vulnerability allows incorrect password matching via input manipulation...