CVE-2024-38816 CVE-2024-38816: Path traversal vulnerability in functional web frameworks

Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application...

CVE-2024-38816

CVE-2024-38816 affects Spring Framework components that serve static resources via RouterFunctions (WebMvc.fn/WebFlux.fn) and a FileSystemResource location. Exploitation targets path traversal to read files accessible to the app process. According to IBM/VMware sources, the vulnerability is mitig...

This Week in Spring - August 27th, 2024 - SpringOne 2024 edition

Hi, Spring fans, from the expo hall of SpringOne at VMware Explore 2024! There's a livestream of some of the key talks - register and watch for free now at SpringOne.io. Right now I'm hanging out at the expo hall manning a booth and doing demos to the hoardes of people streaming by, but I'll be...

ai.langsa:ccaas-starter (>=0.1 <=cloud-0.3), ai.langsa:pom-ccaas-langsa (=0.1) +1307 more potentially affected by CVE-2024-38810 via org.springframework.security:spring-security-core (>=6.3.0 <=6.3.10)

org.springframework.security:spring-security-core MAVEN version =6.3.0, =0.1, =3.3.0.0, =3.3.0.0, =3.3.0.0, =3.3.0.0, =3.3.0.0, =3.3.0.0, =3.3.0.0, =3.3.2.2 and more Source cves: CVE-2024-38810 Source advisory: OSV:GHSA-HMQF-WPQ9-JQ83...

GHSA-HMQF-WPQ9-JQ83 Spring Security Missing Authorization vulnerability

Missing Authorization When Using @AuthorizeReturnObject in Spring Security 6.3.0 and 6.3.1 allows attacker to render security annotations inaffective...

Spring Security Missing Authorization vulnerability

Missing Authorization When Using @AuthorizeReturnObject in Spring Security 6.3.0 and 6.3.1 allows attacker to render security annotations inaffective...

CVE-2024-38810

Missing Authorization When Using @AuthorizeReturnObject in Spring Security 6.3.0 and 6.3.1 allows attacker to render security annotations inaffective...

CVE-2024-38810

Missing Authorization When Using @AuthorizeReturnObject in Spring Security 6.3.0 and 6.3.1 allows attacker to render security annotations inaffective...

CVE-2024-38810 Missing Authorization When Using @AuthorizeReturnObject

Missing Authorization When Using @AuthorizeReturnObject in Spring Security 6.3.0 and 6.3.1 allows attacker to render security annotations inaffective...

CVE-2024-38810

CVE-2024-38810 affects VMware Tanzu Spring Security; vulnerability arises from missing authorization when using @AuthorizeReturnObject, enabling an attacker to obtain sensitive information. Connected sources confirm affected components include Spring Security 6.3.0 and 6.3.1, with multiple vendor...

CVE-2024-38810 Missing Authorization When Using @AuthorizeReturnObject

Missing Authorization When Using @AuthorizeReturnObject in Spring Security 6.3.0 and 6.3.1 allows attacker to render security annotations inaffective...

Spring Security 安全漏洞

VMware Spring Security is a set of security frameworks from VMware that provide illustrative security for Spring-based applications. A security vulnerability exists in Spring Security versions 6.3.0 and 6.3.1, which stems from a lack of authorization when using @AuthorizeReturnObject, and allows ...

PT-2024-28230 · Unknown · Spring Security

Name of the Vulnerable Software and Affected Versions: Spring Security versions 6.3.0 through 6.3.1 Description: The issue is related to missing authorization when using @AuthorizeReturnObject in Spring Security, allowing an attacker to render security annotations ineffective. This potentially...

VulnCheck KEV: CVE-2016-4977

When processing authorization requests using the whitelabel views in Spring Security OAuth 2.0.0 to 2.0.9 and 1.0.0 to 1.0.5, the responsetype parameter value was executed as Spring SpEL which enabled a malicious user to trigger remote code execution via the crafting of the value for responsetype...

This Week in Spring - August 13th, 2024

Hi, Spring fans! Welcome to another installment of This Week in Spring! It's Tuesday and work is well underway to prepare for the huge SpringOne event in Las Vegas in just a few short week's time! I'm elated! So, let's get this roundup on the road so I can get back to the preparation frenzy...

This Week in Spring - August 6th, 2024

It's August! Egads, has that come quickly! AUGUST. The eigth month of the year, and we're almost done with the first week, in fact! It's not that I'm not grateful to be here, but, yah, wow that was quick. And, of course, the month of my all time double dutch favorite conference, SpringOne,...

Spring Tips: Spring Security method security with special guest Rob Winch

Hi, Spring fans! In this installment I have special guest Spring Security lead Rob Winch give us a master class in how the method security support works and some of its new features. Come for the security, stay for the incredible opportunity to look over a senior engineer's shoulders as he explai...

spring-security: Broken Access Control With Direct Use of AuthenticatedVoter

A broken access control flaw was found in Spring Security. Applications may be vulnerable when directly using the AuthenticatedVotervote passing a NULL authentication parameter...

spring-security: Broken Access Control in Spring Security With Direct Use of isFullyAuthenticated

A vulnerability was found in Spring Security. This issue may lead to Broken Access Control, allowing a malicious user to impact the Confidentiality and Integrity of an application or server. This requires the application to use AuthenticationTrustResolver.isFullyAuthenticatedAuthentication direct...

Oracle MySQL Enterprise Monitor (Jul 2024 CPU)

The versions of MySQL Enterprise Monitor installed on the remote host are affected by multiple vulnerabilities as referenced in the July 2024 CPU advisory. - Vulnerability in the MySQL Enterprise Monitor component Spring Security. A remote unauthenticated attacker could gain unauthorized access t...