RHEL 7 / 8 : OpenShift Container Platform 4.10.56 (RHSA-2023:1655)

The remote Redhat Enterprise Linux 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:1655 advisory. Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or...

A Bootiful Podcast: Daniel Garnier-Moiroux on Passkeys and Spring Security

Hi, Spring fans! In this installment, I talk to my friend and colleague Daniel Garnier-Moiroux about the amazing awesome implications of passkeys in a Spring Security application...

This Week in Spring - Tuesday, April 23rd, 2024

Hi, Spring fans! Welcome to another installment of This Week in Spring! We've had a really busy, wonderful week, as always, so let's dive right into it! We want you! ...to submit a talk to SpringOne 2024, in sunny Las Vegas! Hurry, the CFP closes May 3rd! Spring Shell 3.1.11, 3.2.4, and 3.3.0-m1...

Improper Authorization org.springframework.security:spring-security-core Dependency in Jira Software Data Center and Server

This High severity org.springframework.security:spring-security-core Dependency vulnerability was introduced in versions 9.0.0, 9.1.0, 9.2.0, 9.3.0, 9.4.0, 9.5.0, 9.6.0, 9.7.0, 9.8.0, 9.9.0, 9.10.0, 9.11.0, 9.12.0, 9.13.0, 9.14.0, and 9.15.0 of Jira Software Data Center and Server. This...

Security Bulletin: IBM Spectrum Symphony with spring-security-config is vulnerable to Incorrect Permission Assignment for Critical Resource

Summary IBM Spectrum Symphony with spring-security-config is vulnerable to Incorrect Permission Assignment for Critical Resource Vulnerability Details CVEID:CVE-2023-34042 DESCRIPTION: VMware Tanzu Spring Security could allow a local authenticated attacker to bypass security restrictions, caused ...

Security Bulletin: IBM Spectrum Conductor with spring-security-config is vulnerable to Incorrect Permission Assignment for Critical Resource

Summary IBM Spectrum Conductor with spring-security-config is vulnerable to Incorrect Permission Assignment for Critical Resource Vulnerability Details CVEID:CVE-2023-34042 DESCRIPTION: VMware Tanzu Spring Security could allow a local authenticated attacker to bypass security restrictions, caused...

org.springframework.security:spring-security-core Dependency in Bamboo Data Center and Server

This High severity org.springframework.security:spring-security-core Dependency vulnerability was introduced in versions 8.2.1, 9.0.0, 9.1.0, 9.2.1, 9.3.0, 9.4.0, 9.5.0, and 9.6.0 of Bamboo Data Center and Server. This org.springframework.security:spring-security-core Dependency vulnerability, wi...

Security Bulletin: QRadar Suite Software includes components with multiple known vulnerabilities

Summary QRadar Suite Software includes components with known vulnerabilities. These have been updated in the latest release and vulnerabilities have been addressed. Please follow the instructions in the Remediation/Fixes section below to update to the latest version. Vulnerability Details...

Improper Authorization org.springframework.security:spring-security-core Dependency in Crowd Data Center and Server

This High severity org.springframework.security:spring-security-core Dependency vulnerability was introduced in versions 5.0.0, 5.1.0, and 5.2.0 of Crowd Data Center and Server. This org.springframework.security:spring-security-core Dependency vulnerability, with a CVSS Score of 8.2 and a CVSS...

PKCE Downgrade Attack

spring-security-oauth2-authorization-server is vulnerable to PKCE Downgrade. The vulnerability is due to improper handling of PKCE authorization when a Confidential Client requests an Authorization Code Grant. Note that this vulnerability only applies to Confidential Clients, Public Clients are...

cn.herodotus.engine:oauth2-authorization-server-autoconfigure (>=3.2.0.0 <=3.2.2.2), cn.herodotus.engine:oauth2-sdk-authentication (>=3.2.0.0 <=3.2.2.2) +9 more potentially affected by CVE-2024-22258 via org.springframework.security:spring-security-oauth2-authorization-server (>=1.2.0 <=1.2.2)

org.springframework.security:spring-security-oauth2-authorization-server MAVEN version =1.2.0, =3.2.0.0, =3.2.0.0, =3.2.0.0, =3.2.0.0, =3.0.0, =3.0.0, =2.0.0, =1.5.0, =2.0.0, =1.0.0-beta2, =3.2.0, =3.2.3 Source cves: CVE-2024-22258 Source advisory: OSV:GHSA-X637-X8P3-5P22...

cn.com.tltim.pigx:pigx-common-security (=5.0.0-20240820), cn.com.tltim.pigx:pigx-common-websocket (=5.0.0-20240820) +46 more potentially affected by CVE-2024-22258 via org.springframework.security:spring-security-oauth2-authorization-server (>=0.2.0 <=1.1.5)

org.springframework.security:spring-security-oauth2-authorization-server MAVEN version =0.2.0, =0.0.1-alpha.1, =3.1.5.2, =2.7.7.3, =2.7.7.4, =2.7.0.0, =2.7.0.0, =2.7.1.2, =2.7.0.0, =3.0.6.4, =2023.0.0.2-alpha.1, =2023.0.0.2-alpha.2 - com.github.paganini2008.doodler:doodler-common-oauth =1.0.0-bet...

This Week in Spring - March 19th, 2024

Hi, Spring fans! And happy Java 22 release day to those who celebrate! I just put out a huge blog detailing many of the exciting new features in Java 22. Check it out! As usual, we've got a packed roundup to get through this week so let's dive right into it! the Spring Authorization Server 1.3.0-...

Token Exchange support in Spring Security 6.3.0-M3

I'm excited to share that the there will be support for the OAuth 2.0 Token Exchange Grant RFC 8693 in Spring Security 6.3, which is available for preview now in the latest milestone 6.3.0-M3. This support provides the ability to use Token Exchange with OAuth2 Client. Similarly, server-side suppo...

CVE-2024-22257

A broken access control flaw was found in Spring Security. Applications may be vulnerable when directly using the AuthenticatedVotervote passing a NULL authentication parameter. Mitigation Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to...

cn.sparrowmini:sparrow-org-service (=0.0.1), cn.sparrowmini:sparrow-pem-service (=0.0.1) +435 more potentially affected by CVE-2024-22257 via org.springframework.security:spring-security-core (>=5.8.0 <=5.8.10)

org.springframework.security:spring-security-core MAVEN version =5.8.0, =1.48.0, =1.48.0, =1.48.0, =2.4.0, =2.4.0, =2.4.0, =3.7.0, =3.7.0, =3.7.0, =3.7.0, =1.3.1, =1.3.2 - com.gitlab.summer-cattle:cattle-addons-wechat-starter =0.0.5 - com.gitlab.summer-cattle:cattle-commons-web-mvc =0.0.6 and mor...

africa.absa:inception-api (>=1.0.0 <=1.2.0), africa.absa:inception-codes-api (>=1.0.0 <=1.2.0) +9246 more potentially affected by CVE-2024-22257 via org.springframework.security:spring-security-core (>=2.0.0 <=5.7.11)

org.springframework.security:spring-security-core MAVEN version =2.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =4.4.0.0, =0.1.8, =0.1.6, =0.1.7 and more Source cves: CVE-2024-22257 Source advisory: OSV:GHSA-F3JH-QVM4-MG39...

Erroneous authentication pass in Spring Security

In Spring Security, versions 5.7.x prior to 5.7.12, 5.8.x prior to 5.8.11, versions 6.0.x prior to 6.0.9, versions 6.1.x prior to 6.1.8, versions 6.2.x prior to 6.2.3, an application is possible vulnerable to broken access control when it directly uses the AuthenticatedVotervote passing a null...

be.jidoka:jdk-keycloak-admin (>=2.0.0 <=2.2.0), be.personify.iam:personify-frontend (>=1.5.1.RELEASE <=1.5.2.RELEASE) +1605 more potentially affected by CVE-2024-22257 via org.springframework.security:spring-security-core (>=6.0.0 <=6.1.7)

org.springframework.security:spring-security-core MAVEN version =6.0.0, =2.0.0, =1.5.1.RELEASE, =1.1.0, =1.1.0, =1.1.4.2, =1.1.5 - cc.vihackerframework:vihacker-auth-starter =1.0.8.R - cc.vihackerframework:vihacker-common-starter =1.0.8.R - cc.vihackerframework:vihacker-log-starter =1.0.8.R -...

GHSA-F3JH-QVM4-MG39 Erroneous authentication pass in Spring Security

In Spring Security, versions 5.7.x prior to 5.7.12, 5.8.x prior to 5.8.11, versions 6.0.x prior to 6.0.9, versions 6.1.x prior to 6.1.8, versions 6.2.x prior to 6.2.3, an application is possible vulnerable to broken access control when it directly uses the AuthenticatedVotervote passing a null...