Security Bulletin: IBM Planning Analytics Workspace is affected by multiple vulnerabilities (CVE-2022-22968, CVE-2022-24785, CVE-2017-18214, CVE-2016-4055, CVE-2018-1000613, CVE-2020-15522, CVE-2018-1000180, CVE-2020-26939, CVE-2022-22314)

Summary IBM Planning Analytics Workspace is affected by multiple vulnerabilities. Spring is used in IBM Planning Analytics Workspace in Server-Side Rest APIs as an indirect dependency by MongoDB that is used to store content CVE-2022-22968. Node.js moment is used in IBM Planning Analytics Workspa...

This Week in Spring - March 25th, 2025

Hi, Spring fans! Welcome to another installment of This Week in Spring! This week, I’m in Portland, OR, then I'm off to Austin, TX for the Arc of AI show, and then I'm off to Amsterdam for Voxxed Days Amsterdam! If you're around, be sure to say hi! There's a ton of cool stuff to look at, so witho...

Spring Security Vulnerable to Authorization Bypass via Security Annotations

Spring Security 6.4.0 - 6.4.3 may not correctly locate method security annotations on parameterized types or methods. This may cause an authorization bypass. You are not affected if you are not using @EnableMethodSecurity, or you do not have method security annotations on parameterized types or...

app.valuationcontrol:library (>=0.5.8 <=0.5.9), at.aimon.ops:aimon-ops-api (>=0.0.1 <=0.0.2) +2046 more potentially affected by CVE-2025-22223 via org.springframework.security:spring-security-core (>=6.4.0 <=6.4.3)

org.springframework.security:spring-security-core MAVEN version =6.4.0, =0.5.8, =0.0.1, =55.v51410e712e0c, =1.0.1, =1.0.2, =1.0.4, =1.0.2, =1.0.16, =1.0.2, =1.0.4, =1.10.0, =1.10.0, =1.10.0, =1.55.1, =2.1.0 and more Source cves: CVE-2025-22223 Source advisory: OSV:GHSA-HH3M-G4QJ-4835...

GHSA-HH3M-G4QJ-4835 Spring Security Vulnerable to Authorization Bypass via Security Annotations

Spring Security 6.4.0 - 6.4.3 may not correctly locate method security annotations on parameterized types or methods. This may cause an authorization bypass. You are not affected if you are not using @EnableMethodSecurity, or you do not have method security annotations on parameterized types or...

CVE-2025-22223

Spring Security 6.4.0 - 6.4.3 may not correctly locate method security annotations on parameterized types or methods. This may cause an authorization bypass. You are not affected if you are not using @EnableMethodSecurity, or you do not have method security annotations on parameterized types or...

CVE-2025-22223

Spring Security 6.4.0 - 6.4.3 may not correctly locate method security annotations on parameterized types or methods. This may cause an authorization bypass. You are not affected if you are not using @EnableMethodSecurity, or you do not have method security annotations on parameterized types or...

CVE-2025-22223

Spring Security 6.4.0–6.4.3 may fail to locate method security annotations on parameterized types or methods, potentially bypassing authorization. IBM/WatsonX data shows affected product watsonx.data (2.1.3) with remediation to upgrade to watsonx.data 2.2 or CPD 5.2; IBM Maximo AI Broker also lis...

CVE-2025-22223

Spring Security 6.4.0 - 6.4.3 may not correctly locate method security annotations on parameterized types or methods. This may cause an authorization bypass. You are not affected if you are not using @EnableMethodSecurity, or you do not have method security annotations on parameterized types or...

VMware Spring Security 安全漏洞

VMware Spring Security is a set of security frameworks from VMware, Inc. that provide illustrative security protection for Spring-based applications. A security vulnerability exists in VMware Spring Security versions 6.4.0 through 6.4.3 that originates from an authorization bypass...

CicadasCMS 注入漏洞

CicadasCMS is a content management framework developed based on SpringBoot Mybatis SpringSecurity Vue by westboy Individual Developer in China. An injection vulnerability exists in CicadasCMS version 1.0, which stems from vulnerability to SQL injection attacks...

Security Bulletin: Rational Test Virtualization Server and Rational Test Workbench are vulnerable to denial of service due to Spring MVC (CVE-2024-38828)

Summary Rational Test Control Panel RTCP component of Rational Test Virtualization Server and Rational Test Workbench uses Spring MVC which is vulnerable to a denial of service attack CVE-2024-38828. Vulnerability Details CVEID:CVE-2024-38828 DESCRIPTION: Spring MVC controller methods with an...

io.xuxiaowei.seata:seata-server (>=2.1.0 <=2.2.0), org.apache.seata:seata-compressor-all (>=2.1.0 <=2.2.0) +5 more potentially affected by CVE-2024-54016 via org.apache.seata:seata-compressor-zstd (>=2.1.0 <=2.2.0)

org.apache.seata:seata-compressor-zstd MAVEN version =2.1.0, =2.1.0, =2.1.0, =2.1.0, =2.1.0, =2.1.0, =2.1.0, =2.1.0, =2.2.0 Source cves: CVE-2024-54016 Source advisory: SNYK:JAVA-ORGAPACHESEATA-9521513...

com.weicoder:seata (>=3.5.1 <=3.6.2), io.seata:seata-compressor-all (>=1.5.0 <=2.0.0) +7 more potentially affected by CVE-2024-54016 via io.seata:seata-compressor-zstd (>=1.5.0 <=2.0.0)

io.seata:seata-compressor-zstd MAVEN version =1.5.0, =3.5.1, =1.5.0, =1.5.0, =1.8.0, =1.5.0, =1.7.0, =1.8.0, =2.0.0 Source cves: CVE-2024-54016 Source advisory: SNYK:JAVA-IOSEATA-9521514...

app.valuationcontrol:library (>=0.5.8 <=0.5.9), at.aimon.ops:aimon-ops-api (>=0.0.1 <=0.0.2) +2784 more potentially affected by CVE-2025-22228 via org.springframework.security:spring-security-crypto (>=6.4.0 <=6.4.3)

org.springframework.security:spring-security-crypto MAVEN version =6.4.0, =0.5.8, =0.0.1, =0.0.1, =55.v51410e712e0c, =1.0.1, =1.0.2, =1.0.4, =1.0.2, =1.0.16, =1.0.2, =1.0.4, =2.3.0, =1.10.0, =1.10.0, =1.11.0 and more Source cves: CVE-2025-22228 Source advisory: OSV:GHSA-MG83-C7GQ-RV5C...

africa.absa:inception-api (>=1.0.0 <=1.2.0), africa.absa:inception-codes-api (>=1.0.0 <=1.2.0) +9767 more potentially affected by CVE-2025-22228 via org.springframework.security:spring-security-crypto (>=3.1.0.RELEASE <=5.7.14)

org.springframework.security:spring-security-crypto MAVEN version =3.1.0.RELEASE, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =4.4.0.2, =0.5.0, =0.5.24 and more Source cves: CVE-2025-22228 Source advisory: OSV:GHSA-MG83-C7GQ-RV5C...

cc.chensoul.nacos:nacos-distribution (=2.5.2), cn.sparrowmini:sparrow-org-service (=0.0.1) +618 more potentially affected by CVE-2025-22228 via org.springframework.security:spring-security-crypto (>=5.8.0 <=5.8.16)

org.springframework.security:spring-security-crypto MAVEN version =5.8.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.1 and more Source cves: CVE-2025-22228 Source advisory: OSV:GHSA-MG83-C7GQ-RV5Chttp...

be.jidoka:jdk-keycloak-admin (=2.0.0), br.com.devires.framework.boot:devires-framework-boot-audit (=1.1.0) +1079 more potentially affected by CVE-2025-22228 via org.springframework.security:spring-security-crypto (>=6.0.0 <=6.0.1)

org.springframework.security:spring-security-crypto MAVEN version =6.0.0, =1.1.0, =1.1.0, =0.12.0, =0.12.0, =0.12.0, =0.13.0, =3.0.1.0, =3.0.1.0, =3.0.1.0, =3.0.1.0, =3.0.1.0, =3.0.1.0, =3.0.1.0, =3.0.2.3 and more Source cves: CVE-2025-22228 Source advisory:...

Spring Security Does Not Enforce Password Length

BCryptPasswordEncoder.matchesCharSequence,String will incorrectly return true for passwords larger than 72 characters as long as the first 72 characters are the same...

app.boboc:spring-cloud-github (=0.0.1), app.valuationcontrol:library (>=0.5.2 <=0.5.5) +1773 more potentially affected by CVE-2025-22228 via org.springframework.security:spring-security-crypto (>=6.2.0 <=6.2.1)

org.springframework.security:spring-security-crypto MAVEN version =6.2.0, =0.5.2, =0.5.0, =7.0.0, =1.0.2, =1.0.18, =1.0.2, =1.0.2, =v1.0.26, =1.0.0, =1.0, =1.1 and more Source cves: CVE-2025-22228 Source advisory: OSV:GHSA-MG83-C7GQ-RV5C...