Spring Tools 4.15.1 released

Dear Spring Community, I am happy to announce the 4.15.1 release of the Spring Tools 4 for Eclipse, Visual Studio Code, and Theia. fixes and improvements Spring Boot fixed: VScode incorrectly suggests removing @Autowired annotation from methods 787 Spring Boot fixed: VScode quick fix should not...

This Week in Spring - June 14th, 2022

Hi, Spring fans! Welcome to another installment of This Week in Spring! Ive just arrived in beautiful Berlin, Germany, for the forthcoming We Are Developers show with more than five thousand attendees. I was in Toronto, Canada, for the epic SpringOne Tour installment there. Ive also had the...

This Week in Spring - June 7th, 2022

Hi, Spring fans! Welcome to another installment of This Week in Spring! Ive just landed in tantalizing Toronto, Canada, for the SpringOne Tour Toronto show. Im so excited to be here, at long last, after so long away from one of my favorite countries. Ill be doing two talks - my usual, Kubernetes...

Apache Shiro < 1.8.0 Authentication Bypass

Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number. C Tenable, Inc...

com.github.paulcwarren:content-rest-spring-boot-starter (=1.2.0), com.github.paulcwarren:spring-content-rest (=1.2.0) +18 more potentially affected by CVE-2021-22047 via org.springframework.data:spring-data-rest-core (>=3.4.0 <=3.4.13)

org.springframework.data:spring-data-rest-core MAVEN version =3.4.0, =1.5.0, =1.5.0, =1.5.0, =0.9.0, =0.3.0, =1.5.0, =2.4.0, =2.7.3, =2.7.3, =2.7.3, =2.7.3, =2.7.4 and more Source cves: CVE-2021-22047 Source advisory: OSV:GHSA-4926-QPXG-6R3Whttps://vulners.co...

Preparing for Spring Boot 3.0

Spring Boot 2.0 was the first release in the 2.x line and was published on Feburary 28th 2018. Weve just released Spring Boot 2.7 which means that, so far, weve been maintaining the 2.x line for just over 4 years. In total weve published 95 distinct releases over that timeframe! The entire Spring...

This Week in Spring - May 24th, 2022

Hi, Spring fans! Im in Spain for business and not just a little pleasure. Yesterday, my partner, her mother, and I went to Formentera, Spain, a little island off of Ibiza, Spain. It was amazing. Were now in Ibiza, Spain, which is a little island not far from Barcelona, Spain, on the mainland of...

ai.aitia:arrowhead-application-library-java-spring (>=4.4.0.2 <=4.6.0.0), ai.ylyue:yue-library-auth-client (=j11.2.6.0) +1749 more potentially affected by CVE-2022-22978 via org.springframework.security:spring-security-core (>=5.6.0 <=5.6.3)

org.springframework.security:spring-security-core MAVEN version =5.6.0, =4.4.0.2, =1.3.1.RELEASE, =0.2.0, =0.8.3, =2.1.0.M8, =1.0.0, =2.7.0.Beta3, =2.7.0.Beta4, =2.7.0.Beta3, =2.7.0.Beta3, =2.7.0.Beta3, =2.7.0.RC1 and more Source cves: CVE-2022-22978 Source advisory: OSV:GHSA-HH32-7344-CG2F...

This Week in Spring - May 17th, 2022

Hi, Spring fans! Welcome to another installment of This Week in Spring! I am in beautiful Barcelona, Spain, this week, ahead of the upcoming Spring I/O show. I just spent a wonderful week in amazing England, meeting old friends, speaking at Devoxx UK, etc. A Bootiful Podcast: EasyMock contributor...

com.github.arucard21.simplyrestful:simplyrestful-jetty (=0.5), com.github.arucard21.simplyrestful:simplyrestful-spring-boot (=0.2) +216 more potentially affected by CVE-2017-12624 via org.apache.cxf:cxf-core (=3.2.0)

org.apache.cxf:cxf-core MAVEN version =3.2.0 is affected by a known vulnerability. The following packages have a transitive dependency on org.apache.cxf:cxf-core and may be impacted: - com.github.arucard21.simplyrestful:simplyrestful-jetty =0.5 -...

at.salzburgresearch.nodekeeper:nodekeeper-java (>=1.0 <=1.2), com.baidu.beidou:navi-rpc (=1.1.0) +85 more potentially affected by CVE-2017-5637 via org.apache.zookeeper:zookeeper (>=3.4.0 <=3.4.1)

org.apache.zookeeper:zookeeper MAVEN version =3.4.0, =1.0, =1.0.0.RELEASE, =1.0.0.RELEASE, =1.0.0.RELEASE, =0.13, =0.13, =0.13, =0.16, =0.13, =0.15, =0.13, =0.15, =0.17 and more Source cves: CVE-2017-5637 Source advisory: OSV:GHSA-7CWJ-J333-X7F7...

Spring4Shell-Poc - Spring Core RCE 0-day Vulnerability

Description of the vulnerability: https://www.cyberkendra.com/2022/03/springshell-rce-0-day-vulnerability.html Construction of the POC: https://github.com/BobTheShoplifter/Spring4Shell-POC Steps to Build/Run Tested with JDK 11.0.14, Spring Boot 2.6.5, and Apache Tomcat 9.0.60 Run mvn clean packag...

This Week in Spring - May 10th, 2022

Hi, Spring fans! Im writing this from - I cant believe I get to say this - abroad! Im in London, UK! Now, this is not particularly noteworthy for those millions who already live here. But I dont live here. Im a visitor! I live in San Francisco. I had to fly here! On a plane! With other people!...

Exploit for Code Injection in Vmware Spring_Framework

漏洞简介 最近spring爆出重磅级CVE漏洞，cve信息显示"A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution RCE via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot...

CVE-2022-28588

In SpringBootMovie =1.2 when adding movie names, malicious code can be stored because there are no filtering parameters, resulting in stored XSS...

SpringBootMovie 跨站脚本漏洞

SpringBootMovie, a Spring Boot-based movie website, is vulnerable to a cross-site scripting vulnerability in SpringBootMovie version 1.2 and earlier, which stems from a failure to filter parameters when adding movie names. An attacker could exploit this vulnerability to execute JavaScript code on...

Exploit for Code Injection in Vmware Spring_Framework

漏洞简介 最近spring爆出重磅级CVE漏洞，cve信息显示"A Spring MVC or Spring WebFl...

This Week in Spring - April 26th, 2022

Hi, Spring fans! Welcome to another installment of This Week in Spring! This week I was hoping to be in glorious Chicago, Illinois for the first in-person SpringOne Tour installment since the pandemic. But, alas, I couldnt go because - out of an abundance of caution, and since I was exposed to...

com.atlassian.connect:atlassian-connect-spring-boot-api (>=2.0.2 <=2.0.7), com.atlassian.connect:atlassian-connect-spring-boot-core (>=2.0.2 <=2.0.7) +34 more potentially affected by CVE-2022-22969 via org.springframework.security.oauth:spring-security-oauth2 (>=2.4.0.RELEASE <=2.4.1.RELEASE)

org.springframework.security.oauth:spring-security-oauth2 MAVEN version =2.4.0.RELEASE, =2.0.2, =2.0.2, =2.0.2, =2.0.2, =0.0.5, =0.0.5, =0.0.5, =5.0.0, =5.0.0, =4.59.5, =1.0.10.RELEASE, =1.0.10.RELEASE, =1.0.10.RELEASE, =1.73.8, =1.106.2 and more Source cves: CVE-2022-22969 Source advisory:...

VMware Spring Boot < 2.5.13, 2.6.x < 2.6.7 Data Binding Rules Vulnerability

VMware Spring Boot is prone to a data binding rules vulnerability in the used Spring Framework. SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only...