My-BBS 安全漏洞

My-BBS is a SpringBoot + Mybatis + Thymeleaf technology implemented BBS forum system by ZHENFENG13 individual developer. A security vulnerability exists in My-BBS version 1.0, which stems from a cross-site request forgery issue...

PT-2025-36574

Name of the Vulnerable Software and Affected Versions Spring Cloud Gateway Server Webflux affected versions not specified Description Spring Cloud Gateway Server Webflux may allow an attacker to modify Spring Environment properties. This is possible when the Spring Boot actuator is a dependency,...

PT-2025-33358

Name of the Vulnerable Software and Affected Versions: Spring Framework MVC applications affected versions not specified Description: Spring Framework MVC applications can be vulnerable to a “Path Traversal Vulnerability” when deployed on a non-compliant Servlet container. This issue occurs when...

Security Bulletin: IBM Observability with Instana for Synthetic PoP is affected by Multiple Security Vulnerabilities

Summary Multiple vulnerabilities were addressed in IBM Observability with Instana for Synthetic PoP build 286 Vulnerability Details CVEID:CVE-2023-37920 DESCRIPTION: An unspecified error with the removal of e-Tugra root certificate in Certifi has an unknown impact and attack vector. CWE:CWE-345:...

Security Bulletin: Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for September and October 2024.

Summary Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation 21.0.3-IF037 and 24.0.0-IF003. Vulnerability Details CVEID:CVE-2024-39249 DESCRIPTION: Async is vulnerable to a denial of service, caused by the ReDoS Regular Expression Denial of Service while...

This Week in Spring - April 15th, 2025

Spring AI M7 is here! This new release includes a bunch of awesome new features! And some refactorings. Notably that the Spring AI auto-configuration has changed from a single monolithic artifact to individual auto-configuration artifacts per model, vector store, and other components. This change...

📄 Spring Boot common-user-management 0.1 Shell Upload

Spring Boot common-user-management version 0.1 suffers from a remote shell upload vulnerability. Exploit Title: Unrestricted File Upload Google Dork: Date: 14/Nov/2024 Exploit Author: d3sca Vendor Homepage: https://github.com/OsamaTaher/Java-springboot-codebase Software Link:...

Spring Boot common-user-management 0.1 - Remote Code Execution (RCE)

Exploit Title: Unrestricted File Upload Google Dork: Date: 14/Nov/2024 Exploit Author: d3sca Vendor Homepage: https://github.com/OsamaTaher/Java-springboot-codebase Software Link: https://github.com/OsamaTaher/Java-springboot-codebase Version: app version 0.1 Tested on: Debian Linux CVE :...

Prompt Engineering Techniques with Spring AI

This blog post demonstrates practical implementations of Prompt Engineering techniques using Spring AI. The examples and patterns in this article are based on the comprehensive Prompt Engineering Guide that covers the theory, principles, and patterns of effective prompt engineering. The blog show...

CVE-2025-22232

Spring Cloud Config Server may not use Vault token sent by clients using a X-CONFIG-TOKEN header when making requests to Vault. Your application may be affected by this if the following are true: You have Spring Vault on the classpath of your Spring Cloud Config Server and You are using the...

CVE-2025-22232 Spring Cloud Config Server May Not Use Vault Token Sent By Clients

Spring Cloud Config Server may not use Vault token sent by clients using a X-CONFIG-TOKEN header when making requests to Vault. Your application may be affected by this if the following are true: You have Spring Vault on the classpath of your Spring Cloud Config Server and You are using the...

CVE-2025-22232 Spring Cloud Config Server May Not Use Vault Token Sent By Clients

Spring Cloud Config Server may not use Vault token sent by clients using a X-CONFIG-TOKEN header when making requests to Vault. Your application may be affected by this if the following are true: You have Spring Vault on the classpath of your Spring Cloud Config Server and You are using the...

CVE-2025-22232

Summary: CVE-2025-22232 affects Spring Cloud Config Server when used with Vault and X-CONFIG-TOKEN. The issue arises because the default SessionManager (LifecycleAwareSessionManager or similar) persists the first Vault token it retrieves and continues using it, even if clients send a different to...

VMware Spring Cloud Config 安全漏洞

VMware Spring Cloud Config is a configuration management solution for distributed systems from VMware. The product primarily provides server and client support for external configuration in distributed systems. A security vulnerability exists in VMware Spring Cloud Config versions 2.2.1 through...

A Bootiful Podcast: Wiremock's leaders Lee Turner and Tom Akehurst

Hi, Spring fans! In this installment we talk to Wiremock's leaders Lee Turner and Tom Akehurst...

Exploit for CVE-2024-38819

This is a proof-of-concept PoC exploit for CVE-2024-38819, a high-risk path traversal vulnerability in the Spring Framework. The vulnerability allows an attacker to access sensitive files on the server by constructing a malicious HTTP request with a specially crafted path. The PoC code is a simpl...

PT-2025-15613 · Spring · Spring Cloud Config

Name of the Vulnerable Software and Affected Versions: Spring Cloud Config versions 3.1.10, 4.0.10, 4.1.6, 4.2.2, and 4.3.0-M3 are not the affected versions, but rather the versions that address the issue. Since the affected versions are not explicitly mentioned, the correct output is: Spring Clo...

This Week in Spring - April 8th, 2025

Hi, Spring fans! How are ya? I'm doing fine. Excited, even. You see, Spring AI M7 is coming soon! In theory, it drops on Thursday. Don't hold us to that — these things can change :- But soon , and it's turning out to be a whopper of a release! You should try upgrading your application to the new ...

com.mayhoo:config-server (=3.0.2), com.okta.spring.examples:okta-spring-boot-cloud-config-example (>=3.0.3 <=3.0.8) +8 more potentially affected by CVE-2025-22232 via org.springframework.cloud:spring-cloud-config-server (>=4.0.0 <=4.1.5)

org.springframework.cloud:spring-cloud-config-server MAVEN version =4.0.0, =3.0.3, =0.5, =0.0.1, =1.2.1-rc1, =7.0.0, =7.0.0, =4.0.0, =3.0.0, =3.1.5 Source cves: CVE-2025-22232 Source advisory: SNYK:JAVA-ORGSPRINGFRAMEWORKCLOUD-9674187...

Improper Authorization

Overview org.springframework.cloud:spring-cloud-config-server is a library that provides an HTTP resource-based API for external configuration. Affected versions of this package are vulnerable to Improper Authorization due to not using the Vault token sent by clients using a X-CONFIG-TOKEN header...