Security Bulletin: Denial of Service vulnerability affect IBM Business Automation Workflow embedded Navigator - CVE-2024-38808

Summary IBM Business Automation Workflow embedded Navigator repackages a vulnerable copy of Spring. Vulnerability Details CVEID:CVE-2024-38808 DESCRIPTION: In Spring Framework versions 5.3.0 - 5.3.38 and older unsupported versions, it is possible for a user to provide a specially crafted Spring...

This Week in Spring - August 5th, 2025

Hi, Spring fans! Welcome to another installment of This Week in Spring! It's August 5th! Which means we're only 20 days away until SpringOne 2025! Have you registered? There's so much to cover this week, so let's dive right into it! Spring Shell 3.4.1 is out! - the new release includes a number o...

CVE-2025-8525

A vulnerability was found in Exrick xboot up to 3.3.4. It has been classified as problematic. This affects an unknown part of the component Spring Boot Admin/Spring Actuator. The manipulation leads to information disclosure. It is possible to initiate the attack remotely. The exploit has been...

CVE-2025-8525 Exrick xboot Spring Boot Admin/Spring Actuator information disclosure

A vulnerability was found in Exrick xboot up to 3.3.4. It has been classified as problematic. This affects an unknown part of the component Spring Boot Admin/Spring Actuator. The manipulation leads to information disclosure. It is possible to initiate the attack remotely. The exploit has been...

CVE-2025-8525

CVE-2025-8525 affects Exrick xboot up to 3.3.4, with a root cause tied to an information disclosure in the area of Spring Boot Admin/Spring Actuator . The vulnerability can be triggered remotely and the exploit has been publicly disclosed. Multiple connected sources corroborate the same impact an...

CVE-2025-8525 Exrick xboot Spring Boot Admin/Spring Actuator information disclosure

A vulnerability was found in Exrick xboot up to 3.3.4. It has been classified as problematic. This affects an unknown part of the component Spring Boot Admin/Spring Actuator. The manipulation leads to information disclosure. It is possible to initiate the attack remotely. The exploit has been...

PT-2025-31864 · Exrick +1 · Exrick Xboot +2

Name of the Vulnerable Software and Affected Versions: Exrick xboot versions up to 3.3.4 Description: A vulnerability exists in Exrick xboot that may lead to information disclosure. The issue affects an unknown part of the component Spring Boot Admin/Spring Actuator and can be initiated remotely...

Security Bulletin: Vulnerability with spring-security-crypto and jinja affect IBM Cloud Object Storage Systems (July 2025)

Summary Vulnerability with spring-security-crypto CVE-2025-22228 and jinja CVE-2025-27516 . This vulnerability has been addressed in the latest ClevOS release. Vulnerability Details CVEID:CVE-2025-22228 DESCRIPTION: BCryptPasswordEncoder.matchesCharSequence,String will incorrectly return true for...

A Bootiful Podcast: Spring Security lead Rob Winch on Spring Security 7.0, SpringOne 2025, and more

Hi, Spring fans! In this installment I'm joined by Spring Security lead Rob Winch to discuss the amazing new additions to Spring Security 7.0, coming in November of 2025, and the coverage you can expect when you see our talk at SpringOne 2025 have you registered - https://springone.io ?...

Security Bulletin: Multiple Vulnerabilities in IBM CloudPak for AIOps

Summary Multiple vulnerabilities were addressed in IBM Cloud Pak for AIOps version 4.10.1 Vulnerability Details CVEID:CVE-2025-22233 DESCRIPTION: CVE-2024-38820 ensured Locale-independent, lowercase conversion for both the configured disallowedFields patterns and for request parameter names...

K000152799: Spring Security vulnerability CVE-2024-38810

Security Advisory Description Missing Authorization When Using @AuthorizeReturnObject in Spring Security 6.3.0 and 6.3.1 allows attacker to render security annotations inaffective. CVE-2024-38810 Impact There is no impact; F5 products are not affected by this vulnerability. Security Advisory Stat...

This Week in Spring - July 29th, 2025

It's the end of July! JULY! The seventh month of the year, done and dusted! AHHHHH! I've got memories of being on a tropical beach over the winter holidays, sipping rum and dodging mosquitoes like I was doing a rhythmic gymnastics routine just recently. It turns out that was seven months ago, not...

java-sec-code

This is an offensive tool for Java web applications. It is a collection of Java web common vulnerabilities and security code, based on Spring Boot and Spring Security. The repository contains various types of vulnerabilities, including actuators to RCE, command inject, CORS, CRLF injection, CSRF,...

Security Bulletin: Spring Security 6.4.0 - 6.4.3 may not correctly locate method security annotations. This may cause an authorization bypass, which affects IBM watsonx.data

Summary Spring Security 6.4.0 - 6.4.3 may not correctly locate method security annotations on parameterized types or methods. This may cause an authorization bypass. You are not affected if you are not using @EnableMethodSecurity, or you do not have method security annotations on parameterized...

A Bootiful Podcast: José Paumard, Java developer advocate and professor

Hi, Spring fans! In this installment, recorded at Devoxx UK 2025, I talk to the legendary professor of computer science and legend José Paumard about Java, the ecosystem, and more,...

Malicious code in spring-tx (npm)

The package communicates with a domain associated with malicious activity. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware ccb59e10d8881abf3b2dc67ba4e148293566cd2978a32ebb3f07008e91ba5952 Any computer that has this package installed or running should be considered...

MAL-2025-6130 Malicious code in spring-tx (npm)

The package communicates with a domain associated with malicious activity. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware ccb59e10d8881abf3b2dc67ba4e148293566cd2978a32ebb3f07008e91ba5952 Any computer that has this package installed or running should be considered...

Malicious code in spring-context (npm)

The package communicates with a domain associated with malicious activity...

MAL-2025-6129 Malicious code in spring-context (npm)

The package communicates with a domain associated with malicious activity...

Spring Data JDBC and R2DBC 4.0 will support Composite IDs

I'm happy to announce, that Spring Data JDBC and R2DBC finally support Composite IDs starting with version 4.0.0-M4. Most of you probably know, but just to make sure everyone has the same understanding: From the database point of view a composite id or composite key is a primary key that consists...