A Bootiful Podcast: Spring Security legend Laura Spilca joins us to talk Spring Authorization Server and upgrading to Spring Boot 3

Hi, Spring fans! This week, my first as an employee of Broadcom, I am joined by Spring Security community legend Laura Spilca and we talk about all things security, OAuth, and more...

Security Bulletin: IBM InfoSphere Information Server is affected by multiple vulnerabilities in VMware Tanzu Spring Security

Summary Multiple vulnerabilities in VMware Tanzu Spring Security used by IBM InfoSphere Information Server were addressed. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details CVEID:CVE-2023-34034 DESCRIPTION: VMware Tanzu Spring Security could allow a...

This Week in Spring - Spring Boot 3.2 edition - November 21st, 2023

Hi, Spring fans! Welcome to another epic installment of This Week in Spring! As amazing as the week's already been, it's all leading up to this Thursday - Thanksgiving day! - when we release Spring Boot 3.2! and yes, I am very grateful. This release is stuffed to the gills with a ton of new...

spring-security-webflux: path wildcard leads to security bypass

A flaw was found in Spring Security's WebFlux framework pattern matching, where it does not properly evaluate certain patterns. A server using path-based pattern matching in WebFlux could allow an attacker to bypass security settings for some request paths, potentially leading to information...

GHSA-V9HX-V6VF-G36J WebAuthn4J Spring Security Improper signature counter value handling

Improper signature counter value handling Impact A flaw was found in webauthn4j-spring-security-core. When an authneticator returns an incremented signature counter value during authentication, webauthn4j-spring-security-core does not properly persist the value, which means cloned authenticator...

WebAuthn4J Spring Security Improper signature counter value handling

Improper signature counter value handling Impact A flaw was found in webauthn4j-spring-security-core. When an authneticator returns an incremented signature counter value during authentication, webauthn4j-spring-security-core does not properly persist the value, which means cloned authenticator...

CVE-2023-45669

WebAuthn4J Spring Security provides Web Authentication specification support for Spring applications. Affected versions are subject to improper signature counter value handling. A flaw was found in webauthn4j-spring-security-core. When an authneticator returns an incremented signature counter val...

Design/Logic Flaw

WebAuthn4J Spring Security provides Web Authentication specification support for Spring applications. Affected versions are subject to improper signature counter value handling. A flaw was found in webauthn4j-spring-security-core. When an authneticator returns an incremented signature counter val...

CVE-2023-45669 Improper signature counter value handling in webauthn4j-spring-security

WebAuthn4J Spring Security provides Web Authentication specification support for Spring applications. Affected versions are subject to improper signature counter value handling. A flaw was found in webauthn4j-spring-security-core. When an authneticator returns an incremented signature counter val...

CVE-2023-45669 Improper signature counter value handling in webauthn4j-spring-security

WebAuthn4J Spring Security provides Web Authentication specification support for Spring applications. Affected versions are subject to improper signature counter value handling. A flaw was found in webauthn4j-spring-security-core. When an authneticator returns an incremented signature counter val...

CVE-2023-45669

CVE-2023-45669 affects WebAuthn4J Spring Security via the webauthn4j-spring-security-core component. The bug arises from improper persistence of an incremented signature counter returned by the authenticator, causing cloned authenticators to evade detection. Reported impact: an attacker could abu...

CVE-2023-45669 Improper signature counter value handling in webauthn4j-spring-security

WebAuthn4J Spring Security provides Web Authentication specification support for Spring applications. Affected versions are subject to improper signature counter value handling. A flaw was found in webauthn4j-spring-security-core. When an authneticator returns an incremented signature counter val...

PT-2023-29638 · Unknown · Webauthn4J Spring Security

Name of the Vulnerable Software and Affected Versions: WebAuthn4J Spring Security versions prior to 0.9.1.RELEASE Description: A flaw was found in webauthn4j-spring-security-core, where improper signature counter value handling occurs. When an authenticator returns an incremented signature counte...

Security Bulletin: Vulnerability in Spring Security affects IBM Process Mining . Multiple CVEs

Summary There is a vulnerability in Spring Security that could allow a remote attacker to cause an authorization rule misconfiguration issue. The code is used by IBM Process Mining. This bulletin identifies the security fixes to apply to address the vulnerability. Vulnerability Details...

CVE-2023-34034

A flaw was found in Spring Security's WebFlux framework pattern matching, where it does not properly evaluate certain patterns. A server using path-based pattern matching in WebFlux could allow an attacker to bypass security settings for some request paths, potentially leading to information...

Security Bulletin: VMware Tanzu Spring Security is vulnerable to CVE-2023-34034 and CVE-2023-34035 used in IBM Maximo Application Suite - Monitor Component

Summary IBM Maximo Application Suite - Monitor Component uses VMware Tanzu Spring Security which is vulnerable to CVE-2023-34034 and CVE-2023-34035. The vulnerabilities in the product component have been addressed. Vulnerability Details CVEID:CVE-2023-34034 DESCRIPTION: VMware Tanzu Spring Securi...

PT-2023-24653 · Spring · Spring Security

Name of the Vulnerable Software and Affected Versions: Spring Security versions prior to 5.8.7 Spring Security versions prior to 6.0.7 Spring Security versions prior to 6.1.4 Spring Security versions prior to 6.2.0-M1 Description: The spring-security.xsd file inside the spring-security-config jar...

Security Bulletin: IBM Operational Decision Manager August 2023 - Multiple CVEs addressed

Summary IBM Operational Decision Manager is vulnerable to multiple remote code execution and denial of service attacks in third party and open source used in the product for various functions. See full list below. The vulnerabilities have been addressed. Vulnerability Details CVEID:CVE-2022-2047...

ch.admin.bit.jeap:jeap-spring-boot-security-starter-it (>=17.16.0 <=17.24.1), ch.mobi.mobitor:mobitor-plugins-test (>=3.1.171 <=3.1.480) +50 more potentially affected by CVE-2023-41329 via com.github.tomakehurst:wiremock-jre8-standalone (>=2.23.2 <=2.35.0)

com.github.tomakehurst:wiremock-jre8-standalone MAVEN version =2.23.2, =17.16.0, =3.1.171, =1.0.7, =1.13.3, =1.0.0, =2.4.4, =6.7.7, =8.1.0, =6.7.7, =9.0.1, =8.5.0, =9.1.18 - de.muenchen.oss.digiwf:digiwf-coverage =1.3.0 and more Source cves: CVE-2023-41329 Source advisory: OSV:GHSA-PMXQ-PJ47-J8J4...

A Bootiful Podcast: Spring Security lead Rob Winch

Hi, Spring fans! Welcome to another installment of a Bootiful Podcast. In this interview, Josh Long @starbuxman talks to Spring Security legend and lead Rob Winch @robwinch, recorded live from SpringOne 2023!...