VMware Spring Boot 安全漏洞

VMware Spring Boot is an open source framework from VMware. A security vulnerability exists in VMware Spring Boot versions prior to 2.2.11, which stems from vulnerability to temporary directory hijacking...

This Week in Spring - March 29th, 2022

Aloha, Spring fans, from beautiful Maui, Hawaii, where I am with my family on a bit of vacation. Its our daughters Spring break and so were enjoying the family time while we can get it! I wanted to take a brief interlude in between the never-enough time on the beach and all the rum to get this...

CVE report published for Spring Framework

We have released Spring Framework 5.3.17 and Spring Framework 5.2.20 to address the following CVE report. CVE-2022-22950: Spring Expression DoS Vulnerability Please review the information in the CVE report and upgrade immediately. Spring Boot users should upgrade to 2.5.11 or 2.6.5...

Spring Boot Actuator Logview < 0.2.13 Directory Traversal

Spring Boot Actuator Logview is a library that adds a simple logfile viewer as Spring Boot Actuator endpoint. In Spring Boot Actuator Logview before version 0.2.13 there is a directory traversal vulnerability. The nature of this library is to expose a log file directory via admin Spring Boot...

Spring Boot Actuator Detected

This is an informational notice that the scanner was able to detect an accessible Spring Actuator. Actuator endpoints let you monitor and interact with your application. Spring Boot includes a number of built-in endpoints and lets you add your own. For example, the 'health' endpoint provides basi...

Spring Boot Actuator Sensitive Endpoints Detected

Spring Boot Actuator endpoints let you monitor and interact with your application. Spring Boot includes a number of built-in endpoints and lets you add your own. For example, the 'health' endpoint provides basic application health information. But some of these endpoints are considered sensitive...

Spring Boot Actuator HikariCP Remote Code Execution

The Spring Boot framework is one of the most popular Java-based microservice frameworks that helps developers quickly and easily deploy Java applications. When the endpoint actuator is accessible with the env and restart methods, it is possible for an unauthenticated remote attacker to obtain a...

Exploit for Uncontrolled Resource Consumption in Siemens 6Bk1602-0Aa12-0Tp0_Firmware

CVE-2021-44228 !Dockerfilehttps://github.com/ahmad4fifz/C...

ai.foxpay.api:foxpay-sdk (>=1.0 <=1.1), ai.genauth:genauth-java-sdk (=3.1.11) +261 more potentially affected by CVE-2022-22885 via cn.hutool:hutool-http (>=4.0.12 <=5.7.18)

cn.hutool:hutool-http MAVEN version =4.0.12, =1.0, =2.4.3, =2.4.3, =2.4.3, =2.4.3, =2.4.3, =2.4.3, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =2.0.3, =2.0.5, =3.0.2 and more Source cves: CVE-2022-22885 Source advisory: OSV:GHSA-P7W9-8MXW-P3G7...

Keking kkFileview 路径遍历漏洞

Keking KkFileview is a Spring-Boot project from Keking Technology Keking, a Chinese company that builds online previews for documents. A security vulnerability exists in Keking KkFileview, which originates from the presence of a directory traversal vulnerability to read arbitrary files, which cou...

club.javafamily:javafamily-utils-all (>=2.3.2-beta.3 <=2.3.2-beta.4), club.javafamily:javafamily-utils-pdf-itext (>=2.3.2-beta.3 <=2.3.2-beta.4) +213 more potentially affected by CVE-2022-24196 via com.itextpdf:itext7-core (>=7.0.4 <=7.1.16)

com.itextpdf:itext7-core MAVEN version =7.0.4, =2.3.2-beta.3, =2.3.2-beta.3, =1.6.0, =0.0.30, =0.1, =1.0, =1.0, =1.0, =1.1 - com.houkunlin.easypoi:easypoi-base =5.0.2 - com.houkunlin.easypoi:easypoi-spring-boot-starter =5.0.2 - com.houkunlin.easypoi:easypoi-web =5.0.2 -...

JavaQuarkBBS Cross-Site Scripting Vulnerability

JavaQuarkBbs is a simple Java community based on Spring Boot implementation in China.JavaQuarkBBS in v2 and its previous versions suffers from a cross-site scripting vulnerability, which stems from a lack of data validation filtering of user-supplied data and output. An attacker could exploit thi...

com.hazelcast.jet.contrib:hazelcast-jet-spring-boot-starter (>=2.0.0 <=2.0.1), com.hazelcast.jet.contrib:http (=0.1) +57 more potentially affected by unknown CVE via com.hazelcast.jet:hazelcast-jet (>=4.1 <=4.5.2)

com.hazelcast.jet:hazelcast-jet MAVEN version =4.1, =2.0.0, =4.1, =4.3, =4.1, =4.1, =4.2, =4.1, =4.1, =4.1, =4.1, =4.4, =4.1, =4.5.2 and more Source cves: unknown CVE Source advisory: OSV:GHSA-V57X-GXFJ-484Q...

Exploit for Uncontrolled Resource Consumption in Siemens 6Bk1602-0Aa12-0Tp0_Firmware

log4j Spring vulnerable POC This is a POC for a simple spring...

Exploit for Uncontrolled Resource Consumption in Siemens 6Bk1602-0Aa12-0Tp0_Firmware

log4shell-rmi-poc A Proof of Concept of the Log4j vulnerabilit...

Metasploit Wrap-Up

Log4Shell - Log4j HTTP Scanner Versions of Apache Log4j impacted by CVE-2021-44228 which allow JNDI features used in configuration, log messages, and parameters, do not protect against attacker controlled LDAP and other JNDI related endpoints. This module will scan an HTTP endpoint for the...

IBM Spectrum Copy Data Management Unauthorized Access Vulnerability

IBM Spectrum Copy Data Management, an IBM company that modernizes, streamlines, and automates data center copy management processes, has a security vulnerability that could be exploited by an attacker to gain unauthorized access to the Spring Boot console...

Exploit for Uncontrolled Resource Consumption in Siemens 6Bk1602-0Aa12-0Tp0_Firmware

Simple Spring Boot application vulnerable to CVE-2021-44228 L...

CVE-2021-39052

IBM Spectrum Copy Data Management 2.2.13 and earlier could allow a remote attacker to access the Spring Boot console without authorization. IBM X-Force ID: 214523...

CVE-2021-39052

IBM Spectrum Copy Data Management 2.2.13 and earlier could allow a remote attacker to access the Spring Boot console without authorization. IBM X-Force ID: 214523...