Security Bulletin: VMware Tanzu Spring Security is vulnerable to CVE-2022-31692 used in IBM Maximo Application Suite

Summary IBM Maximo Application Suite VMware Tanzu Spring Security is vulnerable to CVE-2022-31692 Vulnerability Details CVEID:CVE-2022-31692 DESCRIPTION: VMware Tanzu Spring Security could allow a remote attacker to bypass security restrictions, caused by a flaw when using forward or include...

This Week in Spring - May 30th, 2023

Hi, Spring fans! Welcome to another installment of This Week in Spring! This installment I write on the day of my daughter's High School graduation, an auspicious day indeed! There's a lot to get through this week, though, and I have a graduation to get to, so let's dive right in! Spring...

Spring Authorization Server is on Spring Initializr!

Today, I'm excited to announce that you have a new superpower: creating applications with Spring Authorization Server on Spring Initializr! That's right, it's time to begin your OAuth2 journey and become the hero you always knew you could be! In this post, I'll explain how you can get the most fr...

Security Bulletin: IBM InfoSphere Information Server is affected but not classified as vulnerable to multiple vulnerabilities in Spring Security

Summary Multiple vulnerabilities in Spring Security used by InfoSphere Information Server were addressed. Vulnerability Details CVEID:CVE-2022-22976 DESCRIPTION: Spring Security could provide weaker than expected security, caused by an integer overflow vulnerability which results in a lack of sal...

K000134500: Spring Framework vulnerability CVE-2023-20860

Security Advisory Description Spring Framework running version 6.0.0 - 6.0.6 or 5.3.0 - 5.3.25 using "" as a pattern in Spring Security configuration with the mvcRequestMatcher creates a mismatch in pattern matching between Spring Security and Spring MVC, and the potential for a security bypass...

Security Bulletin: Vulnerability in Spring Security affects IBM Process Mining . CVE-2022-31690

Summary There is a vulnerability in Spring Security that could allow a remote attacker to gain elevated privileges on the system. The code is used by IBM Process Mining. This bulletin identifies the security fixes to apply to address the vulnerability. Vulnerability Details CVEID:CVE-2022-31690...

Security Bulletin: Vulnerability in Spring Security affects IBM Process Mining . CVE-2022-31692

Summary There is a vulnerability in Spring Security that could allow a remote attacker to bypass security restrictions. The code is used by IBM Process Mining. This bulletin identifies the security fixes to apply to address the vulnerability. Vulnerability Details CVEID:CVE-2022-31692 DESCRIPTION...

This Week in Spring - May 2, 20223

Hi, Spring fans! Welcome to another installment of This Week in Spring! You realize it's already May, 2023? Time's flying, way too quickly! I just got back from Bangalore, India, where I spoke at the amazing Great International Developer Summit, one of the all time best shows ever, and now I'm...

VulnCheck KEV: CVE-2021-31602

An issue was discovered in Hitachi Vantara Pentaho through 9.1 and Pentaho Business Intelligence Server through 7.x. The Security Model has different layers of Access Control. One of these layers is the applicationContext security, which is defined in the applicationContext-spring-security.xml...

Important: Red Hat Security Advisory: Migration Toolkit for Applications security and bug fix update

Migration Toolkit for Applications 6.1.0 release Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the...

Improper Logout Implementation

spring-security-web is vulnerable to Improper Logout Implementation. The vulnerability exists in the SwitchUserFilter.java because it does not properly clean the security context if using serialized versions, which allows an attacker to stay authenticated even after they perform a logout...

au.csiro.pathling:fhir-server (>=5.3.1 <=6.4.2), au.org.consumerdatastandards:data-holder (>=2.3.0 <=2.4.1) +2589 more potentially affected by CVE-2023-20862 via org.springframework.security:spring-security-core (>=5.7.0 <=5.7.7)

org.springframework.security:spring-security-core MAVEN version =5.7.0, =5.3.1, =2.3.0, =6.4.0, =6.6.2 - cc.chensoul.nacos:core-test =2.5.2 - cc.chensoul.nacos:nacos-address =2.5.2 - cc.chensoul.nacos:nacos-cmdb =2.5.2 - cc.chensoul.nacos:nacos-config =2.5.2 - cc.chensoul.nacos:nacos-console =2.5...

GHSA-X873-6RGC-94JC Spring Security logout not clearing security context

In Spring Security, versions 5.7.x prior to 5.7.8, versions 5.8.x prior to 5.8.3, and versions 6.0.x prior to 6.0.3, the logout support does not properly clean the security context if using serialized versions. Additionally, it is not possible to explicitly save an empty security context to the...

be.jidoka:jdk-keycloak-admin (=2.0.0), br.com.devires.framework.boot:devires-framework-boot-audit (=1.1.0) +810 more potentially affected by CVE-2023-20862 via org.springframework.security:spring-security-core (>=6.0.0 <=6.0.2)

org.springframework.security:spring-security-core MAVEN version =6.0.0, =1.1.0, =1.1.0, =0.12.0, =0.12.0, =0.12.0, =0.13.0, =3.0.1.0, =3.0.1.0, =3.0.4.2 and more Source cves: CVE-2023-20862 Source advisory: OSV:GHSA-X873-6RGC-94JC...

Spring Security logout not clearing security context

In Spring Security, versions 5.7.x prior to 5.7.8, versions 5.8.x prior to 5.8.3, and versions 6.0.x prior to 6.0.3, the logout support does not properly clean the security context if using serialized versions. Additionally, it is not possible to explicitly save an empty security context to the...

CVE-2023-20862

In Spring Security, versions 5.7.x prior to 5.7.8, versions 5.8.x prior to 5.8.3, and versions 6.0.x prior to 6.0.3, the logout support does not properly clean the security context if using serialized versions. Additionally, it is not possible to explicitly save an empty security context to the...

CVE-2023-20862

In Spring Security, versions 5.7.x prior to 5.7.8, versions 5.8.x prior to 5.8.3, and versions 6.0.x prior to 6.0.3, the logout support does not properly clean the security context if using serialized versions. Additionally, it is not possible to explicitly save an empty security context to the...

Design/Logic Flaw

In Spring Security, versions 5.7.x prior to 5.7.8, versions 5.8.x prior to 5.8.3, and versions 6.0.x prior to 6.0.3, the logout support does not properly clean the security context if using serialized versions. Additionally, it is not possible to explicitly save an empty security context to the...

CVE-2023-20862

In Spring Security, versions 5.7.x prior to 5.7.8, versions 5.8.x prior to 5.8.3, and versions 6.0.x prior to 6.0.3, the logout support does not properly clean the security context if using serialized versions. Additionally, it is not possible to explicitly save an empty security context to the...

CVE-2023-20862

In CVE-2023-20862, the Spring Security logout flow fails to properly clean the security context when serialized contexts are used, and saving an empty security context to HttpSessionSecurityContextRepository is blocked. Affected versions are Spring Security 5.7.x prior to 5.7.8, 5.8.x prior to 5....