app.valuationcontrol:library (>=0.5.2 <=0.5.6), app.valuationcontrol:webservice (>=0.5.0 <=0.5.1) +2209 more potentially affected by CVE-2024-38827 via org.springframework.security:spring-security-core (>=6.2.0 <=6.2.7)

org.springframework.security:spring-security-core MAVEN version =6.2.0, =0.5.2, =0.5.0, =7.0.0, =1.0.0, =1.0.1, =1.0.1, =1.0.1, =1.0.1, =1.0.1, =1.0.1, =1.0.1, =1.0.1, =1.0.1, =1.0.6, =1.0.31 and more Source cves: CVE-2024-38827 Source advisory: OSV:GHSA-Q3V6-HM2V-PW99...

africa.absa:inception-api (>=1.0.0 <=1.2.0), africa.absa:inception-codes-api (>=1.0.0 <=1.2.0) +9311 more potentially affected by CVE-2024-38827 via org.springframework.security:spring-security-core (>=2.0.0 <=5.7.13)

org.springframework.security:spring-security-core MAVEN version =2.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =4.4.0.0, =0.1.8, =0.1.6, =0.1.7 and more Source cves: CVE-2024-38827 Source advisory: OSV:GHSA-Q3V6-HM2V-PW99...

CVE-2024-38827 Spring Security Authorization Bypass for Case Sensitive Comparisons

The usage of String.toLowerCase and String.toUpperCase has some Locale dependent exceptions that could potentially result in authorization rules not working properly...

VMware Spring Security 安全漏洞

VMware Spring Security is a set of security frameworks from VMware, Inc. that provide illustrative security protection for Spring-based applications. A security vulnerability exists in VMware Spring Security that stems from the presence of a number of anomalies related to the language environment...

Security Bulletin: Multiple security vulnerabilities are addressed with IBM Process Mining Interim Fix for Nov 2024

Summary In addition to many updates of operating system level packages, the following security vulnerabilities are addressed with IBM Process Mining 1.15.0 IF004 Vulnerability Details CVEID:CVE-2024-38821 DESCRIPTION: VMware Tanzu Spring Security could allow a remote attacker to bypass security...

The vulnerabilities of the String.toLowerCase() and String.toUpperCase() methods in the Java framework allow for security breaches in industrial applications, as they are exploited by attackers to bypass authentication processes.

The vulnerability of the String.toLowerCase and String.toUpperCase methods in the Java framework, which is used for securing industrial applications with Spring Security, is related to improper authentication. Exploiting this vulnerability can allow an attacker to bypass the authentication proces...

This Week in Spring - November 26th, 2024

This Week in Spring - November 26th, 2024 Hi, Spring fans! Welcome to another installment of This Week in Spring! Happy Spring Boot 3.4 release month to those who celebrate! And, also, Happy Thanksgiving to those who celebrate! Spring Boot 3.4 brings with it long-anticipated updates to the entire...

Bootiful Spring Boot 3.4: Start Here

Hi, Spring fans! And happy Spring Boot 3.4 release to those who celebrate! I know, I know what you're thinking: Josh, Spring Boot 3.4 already shipped! I know it. Spring Boot 3.4 dropped a week earlier this year! In the last couple of years, we’ve released Spring Boot on the same day as Thanksgivi...

K000148606: Spring vulnerability CVE-2021-22119

Security Advisory Description Spring Security versions 5.5.x prior to 5.5.1, 5.4.x prior to 5.4.7, 5.3.x prior to 5.3.10 and 5.2.x prior to 5.2.11 are susceptible to a Denial-of-Service DoS attack via the initiation of the Authorization Request in an OAuth 2.0 Client Web and WebFlux application. ...

PT-2024-8762

Name of the Vulnerable Software and Affected Versions Spring Security affected versions not specified Description The issue is related to the use of String.toLowerCase and String.toUpperCase functions in the Java framework for Spring Security, which can lead to improper authorization. This is due...

This Week in Spring - November 19th, 2024

Hi, Spring fans! How are you? Can you believe we're already staring at the end of the month? It's that time of the year when we see new releases, and the new releases reflect that frenzy! Soon: Spring Boot 3.4.0! Are you updated? Make sure you're updated! Remember: Spring projects leave open sour...

K000148465: Spring framework vulnerability CVE-2024-38816

Security Advisory Description Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process i...

Spring Security 5.7 < 5.7.13 / 5.8 < 5.8.15 / 6.0 < 6.0.13 / 6.1 < 6.1.11 / 6.2 < 6.2.7 / 6.3 < 6.3.4 Authorization Bypass (CVE-2024-38821)

The remote host contains a Spring Security version that is 5.7 prior to 5.7.13, 5.8 prior to 5.8.15, 6.0 prior to 6.0.13, 6.1 prior to 6.1.11, 6.2 prior to 6.2.7, or 6.3 prior to 6.3.4. It may, therefore, be affected by an authorization bypass vulnerability. Note that Nessus has not tested for th...

Authorization Bypass

org.springframework.security, spring-security-web is vulnerable to Authorization Bypass. The vulnerability is due to a flaw in Spring Security’s handling of authorization rules for static resources in WebFlux applications, which allows these rules to be bypassed under specific conditions...

This Week in Spring - October 29th, 2024

Hi, Spring fans! How're things? It's almost Halloween! I'm so excited! I'm going as a PHP program. Boooooooo...t. I'm writing this from the amazing Vaadin Create conference in Frankfurt, Germany, about to do my keynote for an amazing, Spring-loving audience here. So, without further ado, let's di...

city.smartb.i2:i2-spring-boot-starter-auth (=0.12.0), city.smartb.i2:i2-spring-boot-starter-auth-keycloak (=0.12.0) +328 more potentially affected by CVE-2024-38821 via org.springframework.security:spring-security-web (>=6.0.0 <=6.0.1)

org.springframework.security:spring-security-web MAVEN version =6.0.0, =3.0.1.0, =3.0.1.0, =3.0.1.0, =3.0.1.0, =3.0.1.0, =3.0.1.0, =2023.0.0.2-alpha.1, =2023.0.0.0, =2023.0.0.0, =1.0.1-RELEASE, =1.1.1-RELEASE, =2.0.5-RELEASE, =2.4.0-RELEASE and more Source cves: CVE-2024-38821 Source advisory:...

africa.absa:inception-oauth2-resource-server (>=1.0.0 <=1.2.0), ai.aitia:arrowhead-application-library-java-spring (>=4.4.0.0 <=4.6.0.0) +7361 more potentially affected by CVE-2024-38821 via org.springframework.security:spring-security-web (>=3.0.0.RELEASE <=5.7.12)

org.springframework.security:spring-security-web MAVEN version =3.0.0.RELEASE, =1.0.0, =4.4.0.0, =0.1.8, =0.1.6, =0.1.2, =0.5.0, =j8.2.4.0, =j8.2.4.0, =1.0.0, =1.0.0, =1.0.0, =0.0.2, =0.0.3, =1.1.0.RELEASE, =0.3, =0.6 and more Source cves: CVE-2024-38821 Source advisory: OSV:GHSA-C4Q5-6C82-3QPW...

br.com.nitertech:jwt (>=1.1.4.2 <=1.1.5), cn.herodotus.engine:oauth2-core (>=3.0.6.4 <=3.1.1.3) +354 more potentially affected by CVE-2024-38821 via org.springframework.security:spring-security-web (>=6.1.0 <=6.1.1)

org.springframework.security:spring-security-web MAVEN version =6.1.0, =1.1.4.2, =3.0.6.4, =3.0.6.4, =3.0.6.4, =3.0.6.4, =3.0.6.4, =3.0.6.4, =3.0.6.4, =4.0.1, =4.0.1, =4.0.1, =4.0.1, =0.1.0, =6.1.11, =7.0.4 and more Source cves: CVE-2024-38821 Source advisory: OSV:GHSA-C4Q5-6C82-3QPW...

GHSA-C4Q5-6C82-3QPW Spring Security vulnerable to Authorization Bypass of Static Resources in WebFlux Applications

Spring WebFlux applications that have Spring Security authorization rules on static resources can be bypassed under certain circumstances. For this to impact an application, all of the following must be true: It must be a WebFlux application It must be using Spring's static resources support It...

com.buession.security:buession-security-spring (>=3.0.0 <=3.0.1), com.buession.security:buession-security-web (>=3.0.0 <=3.0.1) +496 more potentially affected by CVE-2024-38821 via org.springframework.security:spring-security-web (>=5.8.0 <=5.8.14)

org.springframework.security:spring-security-web MAVEN version =5.8.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =1.48.0, =1.48.0, =1.48.0, =2.4.0, =2.4.0, =2.4.0, =4.5.0, =4.5.0, =4.5.0, =4.5.1 and more Source cves: CVE-2024-38821 Source advisory: OSV:GHSA-C4Q5-6C82-3QPW...