org.cloudfoundry:cf-gradle-plugin (>=1.0.1 <=1.0.3), org.cloudfoundry:cf-maven-plugin (>=1.0.1 <=1.0.3) +5 more potentially affected by CVE-2018-1260 via org.springframework.security.oauth:spring-security-oauth2 (>=1.0.0.RELEASE <=1.0.2.RELEASE)

org.springframework.security.oauth:spring-security-oauth2 MAVEN version =1.0.0.RELEASE, =1.0.1, =1.0.1, =1.0.1, =0.9.0, =0.9.0, =0.9.0, =0.9.0, =1.0.22 Source cves: CVE-2018-1260 Source advisory: OSV:GHSA-RRPM-PJ7P-7J9Q...

au.org.consumerdatastandards:client-cli (>=1.1.1 <=2.4.1), fm.pattern:tokamak-authorization (=1.0.1) +17 more potentially affected by CVE-2018-1260 via org.springframework.security.oauth:spring-security-oauth2 (>=2.1.0.RELEASE <=2.1.1.RELEASE)

org.springframework.security.oauth:spring-security-oauth2 MAVEN version =2.1.0.RELEASE, =1.1.1, =1.2.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.9.0, =1.9.0, =1.3.0, =1.3.0, =1.3.4 and more Source cves: CVE-2018-1260 Source advisory: OSV:GHSA-RRPM-PJ7P-7J9Qhttps://vulners.c...

org.apache.cxf.fediz.examples:jaxrsSpringSecurityWebapp (>=1.3.0 <=1.4.3), org.apache.cxf.fediz.examples:springPreauthWebapp (>=1.1.0 <=1.4.3) +6 more potentially affected by CVE-2018-8038 via org.apache.cxf.fediz:fediz-spring (>=1.1.0 <=1.4.3)

org.apache.cxf.fediz:fediz-spring MAVEN version =1.1.0, =1.3.0, =1.1.0, =1.1.0, =1.2.0, =1.2.0, =1.1.0, =1.1.0, =1.1.0, =1.4.3 Source cves: CVE-2018-8038 Source advisory: OSV:GHSA-W3GH-G32M-CVHR...

ai.foremast.metrics:foremast-spring-boot-1x-k8s-metrics-starter (>=0.1.6 <=0.1.7), ai.foremast.metrics:foremast-spring-boot-k8s-metrics-starter (>=0.1.4-SB1X <=0.1.4-SB1X_6) +2039 more potentially affected by CVE-2016-5007 via org.springframework.security:spring-security-core (>=2.0.0 <=4.1.0.RELEASE)

org.springframework.security:spring-security-core MAVEN version =2.0.0, =0.1.6, =0.1.4-SB1X, =1.1.0.RELEASE, =1.3.1-RELEASE, =0.3.3, =1.2.1, =2.0.0, =1.0.0, =1.0.0, =0.0.2, =0.4.0, =0.3.0, =0.7.0 - com.17jee:e-cloud-authorize =3.0.0.RELEASE and more Source cves: CVE-2016-5007 Source advisory:...

Spring Security and Spring Framework may not recognize certain paths that should be protected

Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x as well as other unsupported versions rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms,...

GHSA-8CRV-49FR-2H6J Spring Security and Spring Framework may not recognize certain paths that should be protected

Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x as well as other unsupported versions rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms,...

GHSA-CXRJ-66C5-9FMH Spring Framework when used in combination with any versions of Spring Security contains an authorization bypass

Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted...

Spring Framework when used in combination with any versions of Spring Security contains an authorization bypass

Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted...

am.ik.home:uaa-client (>=1.0.0 <=1.2.0), am.ik.home:uaa-integration-test (>=1.0.0 <=1.2.0) +690 more potentially affected by CVE-2018-1199 via org.springframework.security:spring-security-core (>=4.1.0.RELEASE <=4.1.4.RELEASE)

org.springframework.security:spring-security-core MAVEN version =4.1.0.RELEASE, =1.0.0, =1.0.0, =1.0.0, =0.1, =1.0.0, =1.0.6.OSS, =1.0.6.OSS, =1.0.7.OSS, =1.0.7.OSS, =3.0.1.3, =3.0.0, =3.0.1.2, =3.0.1.11 and more Source cves: CVE-2018-1199 Source advisory: OSV:GHSA-V596-FWHQ-8X48...

Improper Input Validation in org.springframework.security:spring-security-core, org.springframework.security:spring-security-core , and org.springframework:spring-core

Spring Security Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3 does not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an...

am.ik.home:uaa-client (>=1.3.0 <=1.9.0), am.ik.home:uaa-integration-test (>=1.3.0 <=1.9.0) +1653 more potentially affected by CVE-2018-1199 via org.springframework.security:spring-security-core (>=4.2.0.RELEASE <=4.2.3.RELEASE)

org.springframework.security:spring-security-core MAVEN version =4.2.0.RELEASE, =1.3.0, =1.3.0, =1.3.0, =1.1.1, =1.12.0 and more Source cves: CVE-2018-1199 Source advisory: OSV:GHSA-V596-FWHQ-8X48...

ch.rasc:wamp2spring-security (=1.0.0), com.github.henkexbg:gallery-api (=0.3.0) +58 more potentially affected by CVE-2018-1199 via org.springframework.security:spring-security-core (=5.0.0.RELEASE)

org.springframework.security:spring-security-core MAVEN version =5.0.0.RELEASE is affected by a known vulnerability. The following packages have a transitive dependency on org.springframework.security:spring-security-core and may be impacted: - ch.rasc:wamp2spring-security =1.0.0 -...

GHSA-V596-FWHQ-8X48 Improper Input Validation in org.springframework.security:spring-security-core, org.springframework.security:spring-security-core , and org.springframework:spring-core

Spring Security Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3 does not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an...

spring-security-oauth: remote code execution in the authorization process

Spring Security OAuth, versions 2.3 prior to 2.3.3, 2.2 prior to 2.2.2, 2.1 prior to 2.1.2, 2.0 prior to 2.0.15 and older unsupported versions contains a remote code execution vulnerability. A malicious user or attacker can craft an authorization request to the authorization endpoint that can lea...

org.apache.camel:camel-atmosphere-websocket (=2.16.0), org.apache.camel:camel-example-cxf-tomcat (=2.16.0) +8 more potentially affected by CVE-2015-5348 via org.apache.camel:camel-servlet (=2.16.0)

org.apache.camel:camel-servlet MAVEN version =2.16.0 is affected by a known vulnerability. The following packages have a transitive dependency on org.apache.camel:camel-servlet and may be impacted: - org.apache.camel:camel-atmosphere-websocket =2.16.0 - org.apache.camel:camel-example-cxf-tomcat...

Security Bulletin: Remote code execution vulnerability (CVE-2018-1260) affects IBM Spectrum Symphony 7.2.0.2 and 7.2.1

Summary Interim fixes are needed to upgrade the Spring Security OAuth package in IBM Spectrum Symphony 7.2.0.2 and 7.2.1 to resolve the remote code execution vulnerability CVE-2018-1260. Vulnerability Details CVEID: CVE-2018-1260 DESCRIPTION: Pivotal Spring Security OAuth could allow a remote...

spring-framework: Improper URL path validation allows for bypassing of security checks on static resources

Spring Security Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3 does not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an...

Information Leakage

spring-security-oauth2-jose is vulnerable to information leakage. It reveals class information via the exception message when a plain unsigned JWT signature is submitted...

spring-security-oauth: remote code execution in the authorization process

Spring Security OAuth, versions 2.3 prior to 2.3.3, 2.2 prior to 2.2.2, 2.1 prior to 2.1.2, 2.0 prior to 2.0.15 and older unsupported versions contains a remote code execution vulnerability. A malicious user or attacker can craft an authorization request to the authorization endpoint that can lea...

CVE-2018-1260

Spring Security OAuth, versions 2.3 prior to 2.3.3, 2.2 prior to 2.2.2, 2.1 prior to 2.1.2, 2.0 prior to 2.0.15 and older unsupported versions contains a remote code execution vulnerability. A malicious user or attacker can craft an authorization request to the authorization endpoint that can lea...