CVE-2021-22113

Applications using the “Sensitive Headers” functionality in Spring Cloud Netflix Zuul 2.2.6.RELEASE and below may be vulnerable to bypassing the “Sensitive Headers” restriction when executing requests with specially constructed URLs. Applications that use Spring Security's StrictHttpFirewall...

Design/Logic Flaw

Applications using the “Sensitive Headers” functionality in Spring Cloud Netflix Zuul 2.2.6.RELEASE and below may be vulnerable to bypassing the “Sensitive Headers” restriction when executing requests with specially constructed URLs. Applications that use Spring Security's StrictHttpFirewall...

CVE-2021-22113

Applications using the “Sensitive Headers” functionality in Spring Cloud Netflix Zuul 2.2.6.RELEASE and below may be vulnerable to bypassing the “Sensitive Headers” restriction when executing requests with specially constructed URLs. Applications that use Spring Security's StrictHttpFirewall...

CVE-2021-22112

A flaw was found in jenkins. Unintentional persisted temporary elevated privileges in some circumstances in a user's session can occur in Spring Security. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability...

Vmware VMware Spring Security Permission License and Access Control Issues Vulnerability

Vmware VMware Spring Security is a suite of security frameworks from Vmware that provide illustrative security protections for Spring-based applications. A vulnerability exists in VMware Spring Security with privilege permission and access control issues. The vulnerability stems from an attacker...

jenkins -- Privilege escalation vulnerability in bundled Spring Security library

Jenkins Security Advisory: Description high SECURITY-2195 / CVE-2021-22112 Privilege escalation vulnerability in bundled Spring Security library...

Authorization Bypass

spring-cloud-netflix-zuul is vulnerable to authorization bypass. An attacker is able to send a request containing a malicious URL to bypass the “Sensitive Headers” restrictions. Applications using Spring Security's StrictHttpFirewall enabled by default for all URLs are not affected by this...

Oracle MySQL Enterprise Monitor Multiple Vulnerabilities (Jan 2021 CPU)

MySQL Enterprise Monitor installed on the remote host is 8.0.x prior to 8.0.23. Therefore, it's affected by multiple vulnerabilities as referenced in the January 2021 CPU advisory. - Vulnerability in the MySQL Enterprise Monitor product of Oracle MySQL component: Service Manager Apache Commons...

Security Bulletin: Multiple Vulnerabilities in IBM Guardium Data Encryption (GDE)

Summary There are multiple vulnerabilities identified in IBM Guardium Data Encryption GDE. These vulnerabilities have been fixed in GDE 4.0.0.4. Please apply the latest version for the fixes. Vulnerability Details CVEID: CVE-2017-7957 DESCRIPTION: XStream is vulnerable to a denial of service,...

Unauthorized access and file upload vulnerabilities in Ruoyi's backend management system

Ruoyi backend management system is based on SpringBoot, Spring Security, JWT, Vue & Element of the front and back end separation of permissions management system , can be used for all Web applications , such as website management backend , website member center , CMS, CRM, OA and so on. If there ...

ai.foremast.metrics:foremast-spring-boot-1x-k8s-metrics-starter (>=0.1.6 <=0.1.7), ai.foremast.metrics:foremast-spring-boot-k8s-metrics-starter (>=0.1.4-SB1X <=0.1.4-SB1X_6) +1217 more potentially affected by CVE-2016-9879 via org.springframework.security:spring-security-core (>=4.0.0.RELEASE <=4.1.3.RELEASE)

org.springframework.security:spring-security-core MAVEN version =4.0.0.RELEASE, =0.1.6, =0.1.4-SB1X, =1.3.1-RELEASE, =0.1, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.6.OSS, =1.0.6.OSS, =1.0.7.OSS, =1.0.8.OSS and more Source cves: CVE-2016-9879 Source advisory: OSV:GHSA-V35C-49J6-Q8HQ...

Security Constraint Bypass in Spring Security

Spring Security does not consider URL path parameters when processing security constraints. By adding a URL path parameter with an encoded "/" to a request, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path...

au.org.consumerdatastandards:client-cli (>=1.1.1 <=1.12.0), cc.kebei:onion-expands-office (>=3.0.3 <=3.0.6) +444 more potentially affected by CVE-2016-9879 via org.springframework.security:spring-security-core (>=4.2.0.RELEASE <=4.2.19.RELEASE)

org.springframework.security:spring-security-core MAVEN version =4.2.0.RELEASE, =1.1.1, =3.0.3, =3.0.3, =3.0.3, =3.0.5, =A.1.1.1, =A.2.0.0, =A.1.1.1, =A.2.0.0, =A.1.1.1, =A.1.1.2, =A.1.1.1, =2.6, =2.6, =2.6, =2.9 and more Source cves: CVE-2016-9879 Source advisory: OSV:GHSA-V35C-49J6-Q8HQ...

be.dnsbelgium:rdap-server (>=0.3.3 <=1.0.3), br.net.woodstock.rockframework:rockframework-domain (>=1.2.1 <=3.0.1) +883 more potentially affected by CVE-2016-9879 via org.springframework.security:spring-security-core (>=2.0.0 <=3.2.0.RELEASE)

org.springframework.security:spring-security-core MAVEN version =2.0.0, =0.3.3, =1.2.1, =2.0.0, =1.0.0, =1.0.0, =1.0.0, =1.2.1, =1.2.1, =1.3.6, =1.4.2 - com.daioware.security:security =1.0.0.RELEASE - com.daioware:daioware-picture =1.0.0-RELEASE and more Source cves: CVE-2016-9879 Source advisory...

GHSA-V35C-49J6-Q8HQ Security Constraint Bypass in Spring Security

Spring Security does not consider URL path parameters when processing security constraints. By adding a URL path parameter with an encoded "/" to a request, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path...

Authorization Bypass in Spring Security

When using Spring Security's CAS Proxy ticket authentication a malicious CAS Service could trick another CAS Service into authenticating a proxy ticket that was not associated. This is due to the fact that the proxy ticket authentication uses the information from the HttpServletRequest which is...

at.molindo.social:spring-social-security (=1.1.0.RELEASE), cn.jhc:spring-social-qq (>=0.0.2 <=0.0.5) +496 more potentially affected by CVE-2014-3527 via org.springframework.security:spring-security-core (>=3.2.0.RELEASE <=3.2.4.RELEASE)

org.springframework.security:spring-security-core MAVEN version =3.2.0.RELEASE, =0.0.2, =1.0-RELEASE, =1.0.1, =1.1.2, =1.2.0, =1.2.5 and more Source cves: CVE-2014-3527 Source advisory: OSV:GHSA-WMV4-5W76-VP9G...

be.dnsbelgium:rdap-server (>=0.3.3 <=1.0.3), br.net.woodstock.rockframework:rockframework-domain (>=1.2.1 <=3.0.1) +795 more potentially affected by CVE-2014-3527 via org.springframework.security:spring-security-core (>=2.0.0 <=3.1.6.RELEASE)

org.springframework.security:spring-security-core MAVEN version =2.0.0, =0.3.3, =1.2.1, =2.0.0, =1.0.0, =1.0.0, =1.0.0, =1.2.1, =1.2.1, =1.3.6, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.3 and more Source cves: CVE-2014-3527 Source advisory: OSV:GHSA-WMV4-5W76-VP9G...

GHSA-WMV4-5W76-VP9G Authorization Bypass in Spring Security

When using Spring Security's CAS Proxy ticket authentication a malicious CAS Service could trick another CAS Service into authenticating a proxy ticket that was not associated. This is due to the fact that the proxy ticket authentication uses the information from the HttpServletRequest which is...

com.erudika:para-jar (=1.31.0), com.erudika:para-server (=1.31.0) +82 more potentially affected by CVE-2020-5408 via org.springframework.security:spring-security-core (=5.1.0.RELEASE)

org.springframework.security:spring-security-core MAVEN version =5.1.0.RELEASE is affected by a known vulnerability. The following packages have a transitive dependency on org.springframework.security:spring-security-core and may be impacted: - com.erudika:para-jar =1.31.0 - com.erudika:para-serv...