This Week in Sprng - March 11th, 2025

Hi, Spring fans! Welcome to another installment of This Week in Spring! It's a busy week as always, fresh off the rush that was Devnexus and busily preparing for the fun that is JavaOne! It's going to be epic! want to learn about dependency injection, auto-configuration, Spring Framework, Spring...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a security restrictions bypass in Spring Security [CVE-2024-38827]

Summary IBM Watson Speech Services Cartridge is vulnerable to a security restrictions bypass in Spring Security, caused by a locale dependent exceptions issue in the useage of String.toLowerCase and String.toUpperCase fimctopms CVE-2024-38827. VMware Tanzu Spring Security is used by our Speech...

Security Bulletin: Vulnerability in Spring WebFlux affects watsonx.data

Summary Spring WebFlux applications that have Spring Security authorization rules on static resources can be bypassed under certain circumstances. This can affect watsonx.data. Vulnerability Details CVEID:CVE-2024-38821 DESCRIPTION: Spring WebFlux applications that have Spring Security...

CVE-2022-41923

Grails Spring Security Core plugin is vulnerable to privilege escalation. The vulnerability allows an attacker access to one endpoint i.e. the targeted endpoint using the authorization requirements of a different endpoint i.e. the donor endpoint. In some Grails framework applications, access to t...

Security Bulletin: IBM Maximo Application Suite - AI Broker Component uses spring-security-web-6.3.3.jar which is vulnerable to this CVE-2024-38821

Summary Security Bulletin: IBM Maximo Application Suite - AI Broker Component uses spring-security-web-6.3.3.jar which is vulnerable to this CVE-2024-38821. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2024-38821 DESCRIPTION: VMwa...

This Week in Spring - January 21st, 2025

Hi, Spring fans! Welcome to another rip-roaring installment of This Week in Spring! It's time to dive into this week's wondrous roundup! Good news, everybody! Spring Cloud AWS 3.3.0 is available! A neat video on stored procedures in Spring A very interesting article on the flow diagrams for Sprin...

Hello DCO, Goodbye CLA: Simplifying Contributions to Spring

The Spring team will be rolling out a simplified contribution process that replaces the requirement to sign a Contributor License Agreement CLA with a Developer Certificate of Origin DCO. The process will start this week with Spring Framework, Spring Security, & Spring Boot and then roll out to t...

Authorization Bypass

org.springframework.security is vulnerable to Authorization Bypass. The vulnerability is due to improper handling of locale-dependent exceptions in String.toLowerCase and String.toUpperCase, which could lead to authorization rules not functioning as intended...

This Week in Spring - December 10th, 2024

Hi, Spring fans! Welcome to another installment of This Week in Spring! As I write this I am in the southern hemisphere it's summer down here!, in Brisbane, waiting to board a plane for Sydney. It's been a ton of fun! I did a video looking at the latest-and-greatest in Spring Framework 6.2 - chec...

A Bootiful Podcast: Spring Security lead Rob Winch on the amazing Spring Security 6.4 release

Hi, Spring fans! In this installment, we'll talk to the amazing Rob Winch, lead of Spring Security 6.4, about the jam-packed new release! spring springboot security java...

be.personify.iam:personify-frontend (>=1.5.1.RELEASE <=1.5.2.RELEASE), br.com.nitertech:jwt (>=1.1.4.2 <=1.1.5) +723 more potentially affected by CVE-2024-38827 via org.springframework.security:spring-security-core (>=6.1.0 <=6.1.1)

org.springframework.security:spring-security-core MAVEN version =6.1.0, =1.5.1.RELEASE, =1.1.4.2, =3.0.6.4, =3.0.6.4, =3.0.6.4, =3.0.6.4, =3.0.6.4, =3.0.6.4, =3.0.6.4, =4.0.1, =4.0.1, =4.0.1, =4.0.1, =4.0.1, =4.0.5 and more Source cves: CVE-2024-38827 Source advisory: OSV:GHSA-Q3V6-HM2V-PW99...

cc.chensoul.nacos:nacos-distribution (=2.5.2), cn.sparrowmini:sparrow-org-service (=0.0.1) +606 more potentially affected by CVE-2024-38827 via org.springframework.security:spring-security-core (>=5.8.0 <=5.8.15)

org.springframework.security:spring-security-core MAVEN version =5.8.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =1.48.0, =1.48.0, =1.48.0, =2.4.0, =2.4.0, =2.4.0, =2.6.0 and more Source cves: CVE-2024-38827 Source advisory: OSV:GHSA-Q3V6-HM2V-PW99...

ai.langsa:ccaas-starter (>=cloud-0.1 <=cloud-0.3), ai.langsa:pom-ccaas-langsa (=0.1) +2385 more potentially affected by CVE-2024-38827 via org.springframework.security:spring-security-core (>=6.3.0 <=6.3.4)

org.springframework.security:spring-security-core MAVEN version =6.3.0, =cloud-0.1, =1.3.0, =1.0.0, =1.0.0, =0.0.1, =1.0.42, =1.0.45 and more Source cves: CVE-2024-38827 Source advisory: OSV:GHSA-Q3V6-HM2V-PW99...

app.valuationcontrol:library (>=0.5.2 <=0.5.6), app.valuationcontrol:webservice (>=0.5.0 <=0.5.1) +2196 more potentially affected by CVE-2024-38827 via org.springframework.security:spring-security-core (>=6.2.0 <=6.2.7)

org.springframework.security:spring-security-core MAVEN version =6.2.0, =0.5.2, =0.5.0, =7.0.0, =1.0.0, =1.0.1, =1.0.1, =1.0.1, =1.0.1, =1.0.1, =1.0.1, =1.0.1, =1.0.1, =1.0.1, =1.0.6, =1.0.31 and more Source cves: CVE-2024-38827 Source advisory: OSV:GHSA-Q3V6-HM2V-PW99...

be.jidoka:jdk-keycloak-admin (=2.0.0), br.com.devires.framework.boot:devires-framework-boot-audit (=1.1.0) +694 more potentially affected by CVE-2024-38827 via org.springframework.security:spring-security-core (>=6.0.0 <=6.0.1)

org.springframework.security:spring-security-core MAVEN version =6.0.0, =1.1.0, =1.1.0, =0.12.0, =0.12.0, =0.12.0, =0.13.0, =3.0.1.0, =3.0.1.0, =3.0.1.0, =3.0.1.0, =3.0.1.0, =3.0.1.0, =2023.0.0.2-alpha.1, =2023.0.0.2-alpha.2 and more Source cves: CVE-2024-38827 Source advisory:...

africa.absa:inception-api (>=1.0.0 <=1.2.0), africa.absa:inception-codes-api (>=1.0.0 <=1.2.0) +9308 more potentially affected by CVE-2024-38827 via org.springframework.security:spring-security-core (>=2.0.0 <=5.7.13)

org.springframework.security:spring-security-core MAVEN version =2.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =4.4.0.0, =0.1.8, =0.1.6, =0.1.7 and more Source cves: CVE-2024-38827 Source advisory: OSV:GHSA-Q3V6-HM2V-PW99...

CVE-2024-38827 Spring Security Authorization Bypass for Case Sensitive Comparisons

The usage of String.toLowerCase and String.toUpperCase has some Locale dependent exceptions that could potentially result in authorization rules not working properly...

VMware Spring Security 安全漏洞

VMware Spring Security is a set of security frameworks from VMware, Inc. that provide illustrative security protection for Spring-based applications. A security vulnerability exists in VMware Spring Security that stems from the presence of a number of anomalies related to the language environment...

Security Bulletin: Multiple security vulnerabilities are addressed with IBM Process Mining Interim Fix for Nov 2024

Summary In addition to many updates of operating system level packages, the following security vulnerabilities are addressed with IBM Process Mining 1.15.0 IF004 Vulnerability Details CVEID:CVE-2024-38821 DESCRIPTION: VMware Tanzu Spring Security could allow a remote attacker to bypass security...

The vulnerabilities of the String.toLowerCase() and String.toUpperCase() methods in the Java framework allow for security breaches in industrial applications, as they are exploited by attackers to bypass authentication processes.

The vulnerability of the String.toLowerCase and String.toUpperCase methods in the Java framework, which is used for securing industrial applications with Spring Security, is related to improper authentication. Exploiting this vulnerability can allow an attacker to bypass the authentication proces...