CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Spring Engineering•added 2024/11/25 12:0 a.m.•10 views

Bootiful Spring Boot 3.4: Start Here

Hi, Spring fans! And happy Spring Boot 3.4 release to those who celebrate! I know, I know what you're thinking: Josh, Spring Boot 3.4 already shipped! I know it. Spring Boot 3.4 dropped a week earlier this year! In the last couple of years, we’ve released Spring Boot on the same day as Thanksgivi...

7.2AI score

F5 Networks•added 2024/11/19 2:50 a.m.•22 views

K000148606: Spring vulnerability CVE-2021-22119

Security Advisory Description Spring Security versions 5.5.x prior to 5.5.1, 5.4.x prior to 5.4.7, 5.3.x prior to 5.3.10 and 5.2.x prior to 5.2.11 are susceptible to a Denial-of-Service DoS attack via the initiation of the Authorization Request in an OAuth 2.0 Client Web and WebFlux application. ...

7.5CVSS6.3AI score0.04895EPSS

Positive Technologies•added 2024/11/19 12:0 a.m.•2 views

PT-2024-8762

Name of the Vulnerable Software and Affected Versions Spring Security affected versions not specified Description The issue is related to the use of String.toLowerCase and String.toUpperCase functions in the Java framework for Spring Security, which can lead to improper authorization. This is due...

6.3CVSS6.5AI score0.01383EPSS

Exploits1References161

Spring Engineering•added 2024/11/19 12:0 a.m.•29 views

This Week in Spring - November 19th, 2024

Hi, Spring fans! How are you? Can you believe we're already staring at the end of the month? It's that time of the year when we see new releases, and the new releases reflect that frenzy! Soon: Spring Boot 3.4.0! Are you updated? Make sure you're updated! Remember: Spring projects leave open sour...

5.3CVSS6.8AI score0.00076EPSS

F5 Networks•added 2024/11/08 7:37 p.m.•45 views

K000148465: Spring framework vulnerability CVE-2024-38816

Security Advisory Description Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process i...

7.5CVSS7.3AI score0.9389EPSS

Exploits1

Tenable Nessus•added 2024/11/06 12:0 a.m.•24 views

Spring Security 5.7 < 5.7.13 / 5.8 < 5.8.15 / 6.0 < 6.0.13 / 6.1 < 6.1.11 / 6.2 < 6.2.7 / 6.3 < 6.3.4 Authorization Bypass (CVE-2024-38821)

The remote host contains a Spring Security version that is 5.7 prior to 5.7.13, 5.8 prior to 5.8.15, 6.0 prior to 6.0.13, 6.1 prior to 6.1.11, 6.2 prior to 6.2.7, or 6.3 prior to 6.3.4. It may, therefore, be affected by an authorization bypass vulnerability. Note that Nessus has not tested for th...

Veracode•added 2024/10/30 3:57 a.m.•19 views

Exploits2References2

Authorization Bypass

org.springframework.security, spring-security-web is vulnerable to Authorization Bypass. The vulnerability is due to a flaw in Spring Security’s handling of authorization rules for static resources in WebFlux applications, which allows these rules to be bypassed under specific conditions...

9.1CVSS6.5AI score0.1309EPSS

Exploits2References5Affected Software1

Spring Engineering•added 2024/10/29 12:0 a.m.•10 views

This Week in Spring - October 29th, 2024

Hi, Spring fans! How're things? It's almost Halloween! I'm so excited! I'm going as a PHP program. Boooooooo...t. I'm writing this from the amazing Vaadin Create conference in Frankfurt, Germany, about to do my keynote for an amazing, Spring-loving audience here. So, without further ado, let's di...

7.1AI score

vulnersOsv•added 2024/10/28 9:30 a.m.•5 views

city.smartb.i2:i2-spring-boot-starter-auth (=0.12.0), city.smartb.i2:i2-spring-boot-starter-auth-keycloak (=0.12.0) +328 more potentially affected by CVE-2024-38821 via org.springframework.security:spring-security-web (>=6.0.0 <=6.0.1)

org.springframework.security:spring-security-web MAVEN version =6.0.0, =3.0.1.0, =3.0.1.0, =3.0.1.0, =3.0.1.0, =3.0.1.0, =3.0.1.0, =2023.0.0.2-alpha.1, =2023.0.0.0, =2023.0.0.0, =1.0.1-RELEASE, =1.1.1-RELEASE, =2.0.5-RELEASE, =2.4.0-RELEASE and more Source cves: CVE-2024-38821 Source advisory:...

africa.absa:inception-oauth2-resource-server (>=1.0.0 <=1.2.0), ai.aitia:arrowhead-application-library-java-spring (>=4.4.0.0 <=4.6.0.0) +7358 more potentially affected by CVE-2024-38821 via org.springframework.security:spring-security-web (>=3.0.0.RELEASE <=5.7.12)

org.springframework.security:spring-security-web MAVEN version =3.0.0.RELEASE, =1.0.0, =4.4.0.0, =0.1.8, =0.1.6, =0.1.2, =0.5.0, =j8.2.4.0, =j8.2.4.0, =1.0.0, =1.0.0, =1.0.0, =0.0.2, =0.0.3, =1.1.0.RELEASE, =0.3, =0.6 and more Source cves: CVE-2024-38821 Source advisory: OSV:GHSA-C4Q5-6C82-3QPW...

br.com.nitertech:jwt (>=1.1.4.2 <=1.1.5), cn.herodotus.engine:oauth2-core (>=3.0.6.4 <=3.1.1.3) +354 more potentially affected by CVE-2024-38821 via org.springframework.security:spring-security-web (>=6.1.0 <=6.1.1)

org.springframework.security:spring-security-web MAVEN version =6.1.0, =1.1.4.2, =3.0.6.4, =3.0.6.4, =3.0.6.4, =3.0.6.4, =3.0.6.4, =3.0.6.4, =3.0.6.4, =4.0.1, =4.0.1, =4.0.1, =4.0.1, =0.1.0, =6.1.11, =7.0.4 and more Source cves: CVE-2024-38821 Source advisory: OSV:GHSA-C4Q5-6C82-3QPW...

OSV•added 2024/10/28 9:30 a.m.•1 views

GHSA-C4Q5-6C82-3QPW Spring Security vulnerable to Authorization Bypass of Static Resources in WebFlux Applications

Spring WebFlux applications that have Spring Security authorization rules on static resources can be bypassed under certain circumstances. For this to impact an application, all of the following must be true: It must be a WebFlux application It must be using Spring's static resources support It...

9.3CVSS5.9AI score0.1309EPSS

Exploits2References6

com.buession.security:buession-security-spring (>=3.0.0 <=3.0.1), com.buession.security:buession-security-web (>=3.0.0 <=3.0.1) +496 more potentially affected by CVE-2024-38821 via org.springframework.security:spring-security-web (>=5.8.0 <=5.8.14)

org.springframework.security:spring-security-web MAVEN version =5.8.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =1.48.0, =1.48.0, =1.48.0, =2.4.0, =2.4.0, =2.4.0, =4.5.0, =4.5.0, =4.5.0, =4.5.1 and more Source cves: CVE-2024-38821 Source advisory: OSV:GHSA-C4Q5-6C82-3QPW...

ai.langsa:ccaas-starter (>=0.1 <=cloud-0.3), ai.langsa:pom-ccaas-langsa (=0.1) +1519 more potentially affected by CVE-2024-38821 via org.springframework.security:spring-security-web (>=6.3.0 <=6.3.3)

org.springframework.security:spring-security-web MAVEN version =6.3.0, =0.1, =1.0.0, =1.0.0, =3.3.0.0, =3.3.0.0, =3.3.0.0, =3.3.0.0, =3.3.0.0, =3.3.0.0, =3.3.4.3 and more Source cves: CVE-2024-38821 Source advisory: OSV:GHSA-C4Q5-6C82-3QPW...

vulnersOsv•added 2024/10/28 9:30 a.m.•3 views

app.valuationcontrol:library (>=0.5.2 <=0.5.5), app.valuationcontrol:webservice (>=0.5.0 <=0.5.1) +1823 more potentially affected by CVE-2024-38821 via org.springframework.security:spring-security-web (>=6.2.0 <=6.2.6)

org.springframework.security:spring-security-web MAVEN version =6.2.0, =0.5.2, =0.5.0, =7.0.0, =1.0.0, =1.0.1, =1.0.1, =1.0.1, =1.0.1, =1.0.1, =1.0.1, =1.0.1, =1.0.1, =1.0.1, =1.0.6, =1.0.1, =1.0.31 and more Source cves: CVE-2024-38821 Source advisory: OSV:GHSA-C4Q5-6C82-3QPW...