Security Bulletin: IBM i Modernization Engine for Lifecycle Integration is vulnerable to multiple vulnerabilities

Summary There are multiple vulnerabilities in components of IBM i Modernization Engine for Lifecycle Integration as described in the Vulnerability Details section. Google Guava and Apache James MIME4J could allow a local authenticated attacker to obtain sensitive information. Pivota Spring...

This Week in Spring - March 25th, 2025

Hi, Spring fans! Welcome to another installment of This Week in Spring! This week, I’m in Portland, OR, then I'm off to Austin, TX for the Arc of AI show, and then I'm off to Amsterdam for Voxxed Days Amsterdam! If you're around, be sure to say hi! There's a ton of cool stuff to look at, so witho...

This Week in Spring – March 18th, 2025

Hi, Spring fans! I just got back from the amazing JavaOne show held in Redwood Shores. It was a fun, uproarious event and a great chance to reconnect with tons of friends, old and new. I love this community! One of the central highlights of this show? Java 24 is here, finally! And, as usual, we'v...

Path Traversal (Arbitrary Read/Write) org.springframework:spring-webmvc Dependency in Jira Service Management Data Center and Server

This High severity org.springframework:spring-webmvc Dependency vulnerability was introduced in versions 5.12.0 Jira Service Management Data Center and Server. This org.springframework:spring-webmvc Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

This Week in Sprng - March 11th, 2025

Hi, Spring fans! Welcome to another installment of This Week in Spring! It's a busy week as always, fresh off the rush that was Devnexus and busily preparing for the fun that is JavaOne! It's going to be epic! want to learn about dependency injection, auto-configuration, Spring Framework, Spring...

Null Safety in Spring applications with JSpecify and NullAway

The initial introduction of the null safety support in Spring dates back to 2017 and the release of Spring Framework 5.0. In 2025, we are evolving that story to bring more added value for Spring developers, either in Java or Kotlin. But before having a deeper look to the changes we are working on...

Exploit for CVE-2024-38819

CVE-2024-38819: Proof of Concept PoC This is a proof of concept for the CVE-2024-38819 vulnerability, which I reported, demonstrating a path traversal exploit. Execution Steps 1. Build the Docker image Spring Boot 3.3.4, based on Spring Framework 6.1.13 cd vuln docker build -t cve-2024-38819-poc...

Linux Distros Unpatched Vulnerability : CVE-2024-38808

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In Spring Framework versions 5.3.0 - 5.3.38 and older unsupported versions, it is possible for a user to provide a specially crafted Spring Expression Language...

Linux Distros Unpatched Vulnerability : CVE-2013-6429

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which...

Linux Distros Unpatched Vulnerability : CVE-2014-0225

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - When processing user provided XML documents, the Spring Framework 4.0.0 to 4.0.4, 3.0.0 to 3.2.8, and possibly earlier unsupported versions did not disable by...

Security Bulletin: Vulnerability in Spring Framework affects IBM SPSS Collaboration and Deployment Services (CVE-2023-20863)

Summary Vulnerability in Spring Framework affects IBM SPSS Collaboration and Deployment Services CVE-2023-20863 Vulnerability Details CVEID:CVE-2023-20863 DESCRIPTION: In spring framework versions prior to 5.2.24 release+ ,5.3.27+ and 6.0.8+ , it is possible for a user to provide a specially...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a denial of service in Spring Framework [CVE-2024-38809]

Summary IBM Watson Speech Services Cartridge is vulnerable to a denial of service in Spring Framework, caused by improper input validation CVE-2024-38809. Spring Framework is used by our Speech Microservices. This vulnerabilitiy has been addressed. Please read the details for remediation below...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a security weakness in Spring Framework [CVE-2024-38820]

Summary IBM Watson Speech Services Cartridge is vulnerable to a security weakness in Spring Framework, caused by a flaw related to disallowedFields patterns in DataBinder is case insensitive CVE-2024-38820. Spring Framework is used by our Speech Microservices. This vulnerabilitiy has been...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a directory traversal in Spring Framework [CVE-2024-38819]

Summary IBM Watson Speech Services Cartridge is vulnerable to a directory traversal in Spring Framework, caused by improper validation of user request by the functional web frameworks WebMvc.fn or WebFlux.fn CVE-2024-38819. Spring Framework is used by our Speech Microservices. This vulnerabilitiy...

Security Bulletin: Vulnerabilities in VMware Tanzu Spring Framework affect watsonx.data

Summary VMware Tanzu Spring Framework is vulnerable to a denial of service attacks and this could affect watsonx.data. Vulnerability Details CVEID:CVE-2022-22950 DESCRIPTION: VMware Tanzu Spring Framework is vulnerable to a denial of service, caused by improper input validation. By sending a...

Security Bulletin: Vulnerability in Pivota Spring Framework affects watsonx.data

Summary Pivota Spring Framework could allow a remote attacker to execute arbitrary code on the system. This could affect watsonx.data. Vulnerability Details CVEID:CVE-2016-1000027 DESCRIPTION: Pivota Spring Framework could allow a remote attacker to execute arbitrary code on the system, caused by...

Security Bulletin: Multiple vulnerabilities in spring packaged with CMIS affect IBM Business Automation Workflow - CVE-2024-22262, CVE-2024-38809

Summary IBM Business Automation Workflow is vulnerable repackages a FileNet Content Manager's CMIS interface, which in turn repackages parts of a version of the Spring framework. Vulnerabilities have been reported for spring. Vulnerability Details CVEID:CVE-2024-22262 DESCRIPTION: VMware Tanzu...

Security Bulletin: spring-web-5.3.30.jar may affect SPSS Collaboration and Deployment Services (CVE-2024-22259)

Summary spring-web-5.3.30.jar may affect SPSS Collaboration and Deployment Services CVE-2024-22259 Vulnerability Details CVEID:CVE-2024-22262 DESCRIPTION: VMware Tanzu Spring Framework could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability in...

This Week in Spring - February 4th, 2025

Hi, Spring fans! Welcome to another installment of This Week in Spring! It's February 4th, 2025, as I write this. We are ten days away from Valentine's day, and about a month away from Devnexus. Lots to look forward to, in both the short term and the long term! Let's dive right into this week's...

Security Bulletin: Due to the use of VMWare Tanzu Spring Framework, IBM DevOps Build is vulnerable to remote attacker to conduct phising attacks

Summary IBM DevOps Build 7.0.0.2 addresses CVE-2024-22259 by updating spring-web jar.. Vulnerability Details CVEID:CVE-2024-22259 DESCRIPTION: Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL e.g. through a query parameter AND perform validation...