ai.optfor:spring-openai-api (>=0.1 <=0.3.25), am.ik.s3:simple-s3-client (>=0.1.0 <=0.1.1) +3861 more potentially affected by CVE-2024-22262 via org.springframework:spring-web (>=6.0.0 <=6.0.18)

org.springframework:spring-web MAVEN version =6.0.0, =0.1, =0.1.0, =0.2.3, =0.2.3, =4.0.0, =1.5.0.RELEASE, =1.5.1.RELEASE, =1.5.0.RELEASE, =2.1.0.RELEASE, =1.5.0.RELEASE, =1.5.2.RELEASE - be.tomcools:rickroll-security-spring-boot-starter =3.1.1 -...

ai.ancf.lmos-router:lmos-router-llm-in-spring-cloud-gateway-demo (=0.28.0), ai.ancf.lmos:arc-graphql-spring-boot-starter (>=0.1.1 <=0.112.0) +8709 more potentially affected by CVE-2024-22262 via org.springframework:spring-web (>=6.1.0 <=6.1.5)

org.springframework:spring-web MAVEN version =6.1.0, =0.1.1, =0.1.1, =0.0.4, =0.1.0, =0.1.0, =0.5.0, =0.6.0, =0.6.0, =0.5.0, =0.6.0, =0.6.0, =0.5.0, =0.7.0, =0.7.0, =0.8.7 and more Source cves: CVE-2024-22262 Source advisory: OSV:GHSA-2WRP-6FG6-HMC5...

ColumnPack:ColumnPack-plugin (=1.0.3), CustomHistory:CustomHistory (>=1.1 <=1.3) +36848 more potentially affected by CVE-2024-22262 via org.springframework:spring-web (>=1.2.1 <=5.3.33)

org.springframework:spring-web MAVEN version =1.2.1, =1.1, =0.0.1, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.2.0 and more Source cves: CVE-2024-22262 Source advisory: OSV:GHSA-2WRP-6FG6-HMC5...

Security Bulletin: Vulnerability with OpenJDK, commons-compress and spring-web-5.3.27/spring-web-5.3.32 affect IBM Cloud Object Storage Systems (April 2024v1)

Summary Vulnerability with OpenJDK- CVE-2024-20952, CVE-2024-20918, CVE-2024-20921, CVE-2024-20945, CVE-2024-20932, CVE-2024-20919, CVE-2024-20926, commons-compress CVE-2024-25710, CVE-2024-26308 , spring-web-5.3.27 CVE-2024-22243, spring-web-5.3.32CVE-2024-22259. This vulnerability has been...

Server Side Request Forgery (SSRF)

org.springframework:spring-web is vulnerable to Open Redirect. The vulnerability is due to insufficient validation checks of the host URL within UriComponentsBuilder.java. If an application utilizes the host validation checks, an attacker can perform an open redirect or Server-Side Request Forger...

ColumnPack:ColumnPack-plugin (=1.0.3), CustomHistory:CustomHistory (>=1.1 <=1.3) +36789 more potentially affected by CVE-2024-22259 via org.springframework:spring-web (>=1.2.1 <=5.3.32)

org.springframework:spring-web MAVEN version =1.2.1, =1.1, =0.0.1, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.2.0 and more Source cves: CVE-2024-22259 Source advisory: OSV:GHSA-HGJH-9RJ2-G67J...

ai.ancf.lmos-router:lmos-router-llm-in-spring-cloud-gateway-demo (=0.28.0), ai.ancf.lmos:arc-graphql-spring-boot-starter (>=0.1.1 <=0.112.0) +8231 more potentially affected by CVE-2024-22259 via org.springframework:spring-web (>=6.1.0 <=6.1.4)

org.springframework:spring-web MAVEN version =6.1.0, =0.1.1, =0.1.1, =0.0.4, =0.1.0, =0.1.0, =0.5.0, =0.6.0, =0.6.0, =0.5.0, =0.6.0, =0.6.0, =0.5.0, =0.7.0, =0.7.0, =0.8.7 and more Source cves: CVE-2024-22259 Source advisory: OSV:GHSA-HGJH-9RJ2-G67J...

ai.optfor:spring-openai-api (>=0.1 <=0.3.25), am.ik.s3:simple-s3-client (>=0.1.0 <=0.1.1) +3835 more potentially affected by CVE-2024-22259 via org.springframework:spring-web (>=6.0.0 <=6.0.17)

org.springframework:spring-web MAVEN version =6.0.0, =0.1, =0.1.0, =0.2.3, =0.2.3, =4.0.0, =1.5.0.RELEASE, =1.5.1.RELEASE, =1.5.0.RELEASE, =2.1.0.RELEASE, =1.5.0.RELEASE, =1.5.2.RELEASE - be.tomcools:rickroll-security-spring-boot-starter =3.1.1 -...

Server Side Request Forgery (SSRF)

org.springframework:spring-web is vulnerable to Open Redirect. The vulnerability is due to insufficient validation checks of the host URL within UriComponentsBuilder.java. If an application utilizes the host validation checks, an attacker can perform an open redirect or Server-Side Request Forger...

ColumnPack:ColumnPack-plugin (=1.0.3), CustomHistory:CustomHistory (>=1.1 <=1.3) +22635 more potentially affected by CVE-2024-22243 via org.springframework:spring-web (>=1.2.1 <=5.2.25.RELEASE)

org.springframework:spring-web MAVEN version =1.2.1, =1.1, =0.0.1, =4.4.0.0, =0.1.6, =0.1.8, =0.1.6, =0.1.2, =0.5.0, =0.5.0, =0.5.0, =0.5.0, =0.5.0, =0.5.0, =0.5.21 and more Source cves: CVE-2024-22243 Source advisory: OSV:GHSA-CCGV-VJ62-XF9H...

ai.optfor:spring-openai-api (>=0.1 <=0.3.25), am.ik.s3:simple-s3-client (>=0.1.0 <=0.1.1) +3787 more potentially affected by CVE-2024-22243 via org.springframework:spring-web (>=6.0.0 <=6.0.16)

org.springframework:spring-web MAVEN version =6.0.0, =0.1, =0.1.0, =0.2.3, =0.2.3, =4.0.0, =1.5.0.RELEASE, =1.5.1.RELEASE, =1.5.0.RELEASE, =2.1.0.RELEASE, =1.5.0.RELEASE, =1.5.2.RELEASE - be.tomcools:rickroll-security-spring-boot-starter =3.1.1 -...

ai.ancf.lmos-router:lmos-router-llm-in-spring-cloud-gateway-demo (=0.28.0), ai.ancf.lmos:arc-graphql-spring-boot-starter (>=0.1.1 <=0.112.0) +7853 more potentially affected by CVE-2024-22243 via org.springframework:spring-web (>=6.1.0 <=6.1.3)

org.springframework:spring-web MAVEN version =6.1.0, =0.1.1, =0.1.1, =0.0.4, =0.1.0, =0.1.0, =0.5.0, =0.6.0, =0.6.0, =0.5.0, =0.6.0, =0.6.0, =0.5.0, =0.7.0, =0.7.0, =0.8.7 and more Source cves: CVE-2024-22243 Source advisory: OSV:GHSA-CCGV-VJ62-XF9H...

africa.absa:inception-api (>=1.1.0 <=1.2.0), africa.absa:inception-application (>=1.1.0 <=1.2.0) +15100 more potentially affected by CVE-2024-22243 via org.springframework:spring-web (>=5.3.0 <=5.3.31)

org.springframework:spring-web MAVEN version =5.3.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =4.4.0.2, =4.6.0.0 - ai.apiverse:apipulse =1.0.1 and more Source cves: CVE-2024-22243 Source advisory: OSV:GHSA-CCGV-VJ62-XF9H...

This Week in Spring - January 16th, 2024

Hi, Spring fans! Welcome to another installment of This Week in Spring! It's the 16th of January already! We're closer to February than not! I can hardly believe it. As always, we've got a lot to cover so let's dive right into it. the Spring Authorization Server 1.3.0-m1 is now available this is...

Confluence 8.7.1 is using a vulnerable library - spring-web-5.3.30

h3. Issue Summary CVE - CVE-2016-1000027 Advisory URL - https://nvd.nist.gov/vuln/detail/CVE-2016-1000027 h3. Steps to Reproduce Build confluence to find the vulnerable artifact h3. Expected Results Vulnerable library is fixed h3. Actual Results Vulnerable library found at -...

Vulnerability fixed in NetApp Active IQ Unified Manager

NetApp has fixed a vulnerability in the Spring Web Services component of Active IQ Unified Manager for Windows, Linux, and VMware vSphere. The vulnerability allows a malicious party to gain access to sensitive data, potentially to manipulate it, or to cause a denial-of-service. NetApp has release...

Denial Of Service (DoS)

org.springframework: spring-web is vulnerable to Denial Of Service DoS. The vulnerability is due to a lack of validation for HTTP methods in DefaultServerRequestObservationConvention.java. This allows an attacker to inject specially crafted HTTP requests that may cause Denial of Service. Note tha...

Security Bulletin: IBM OpenPages for IBM Cloud Pak for Data is Vulnerable to Spring Web Unsafe Deserialization [CVE-2016-1000027]

Summary There is a vulnerability in the Spring Web open source library used by IBM OpenPages for IBM Cloud Pak for Data. This vulnerability has been addressed. CVE-2016-1000027 Vulnerability Details CVEID:CVE-2016-1000027 DESCRIPTION: Pivota Spring Framework could allow a remote attacker to execu...

Security Bulletin: Due to the use of Apache spring-web, IBM ECM Content Management Interoperability Services (CMIS) is affected by remote code execution (RCE) security vulnerability CVE-2016-1000027

Summary IBM ECM Content Management Interoperability Services CMIS is affected by Apache spring-web security vulnerability CVE-2016-1000027 , affected, not vulnerable. Vulnerability Details CVEID:CVE-2016-1000027 DESCRIPTION: Pivota Spring Framework could allow a remote attacker to execute arbitra...

SUSE CVE-2019-3773

Spring Web Services, versions 2.4.3, 3.0.4, and older unsupported versions of all three projects, were susceptible to XML External Entity Injection XXE when receiving XML data from untrusted sources...