cy-fast 注入漏洞

cy-fast is a SpringBoot based rapid development framework by chenyi personal developer. An injection vulnerability exists in cy-fast version 1.0, which is caused by SQL injection in the parameter order...

cy-fast SQL注入漏洞

cy-fast is a SpringBoot based rapid development framework by chenyi personal developer. A security vulnerability exists in cy-fast version 1.0, which is caused by a SQL injection in the parameter order...

This Week in Spring - January 7th, 2025

Hi, Spring fans, and happy new year! It's been another super seven days since we last spoke and, as always, there's a lot to cover so let's dive right into it! A long time in coming, but it's finally here! Hello DCO, Goodbye CLA: Simplifying Contributions to Spring the Spring AI hits just keep on...

Hello DCO, Goodbye CLA: Simplifying Contributions to Spring

The Spring team will be rolling out a simplified contribution process that replaces the requirement to sign a Contributor License Agreement CLA with a Developer Certificate of Origin DCO. The process will start this week with Spring Framework, Spring Security, & Spring Boot and then roll out to t...

My-Blog 代码问题漏洞

My-Blog is a Java blog system implemented by SpringBoot + Mybatis + Thymeleaf and other technologies, with beautiful pages, full functionality, easy deployment and perfect code. A code issue vulnerability exists in My-Blog version 1.0, which stems from improper handling of the file parameter,...

This Year in Spring - December 31st, 2024

Hi Spring fans! Happy New Year! And welcome to another installment of This Year in Spring! The year that was... I write this edition from a desk overlooking the beautiful jungle of Martinique, a beautiful island nation in the French Caribbean. I’m sipping some rhum martinique , enjoying the...

Authorization Bypass

org.springframework.security is vulnerable to Authorization Bypass. The vulnerability is due to improper handling of locale-dependent exceptions in String.toLowerCase and String.toUpperCase, which could lead to authorization rules not functioning as intended...

A Bootiful Podcast: Intact's Luke Shannon

Hi, Spring fans! and happy holidays! in this installment I talk to Intact's Luke Shannon about their use of Spring, developer portals, and so much more...

Malicious code in react-spring-latest (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware b4479151acbc242dd9b62ac68197121a3b973d6eb0b58d6a0ac6900f63b9fe1f Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2024-12114 Malicious code in react-spring-latest (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware b4479151acbc242dd9b62ac68197121a3b973d6eb0b58d6a0ac6900f63b9fe1f Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

OSV-2024-1397 Security exception in org.springframework.expression.spel.ast.OpPlus.getValueInternal

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=385326423 Crash type: Security exception Crash state: org.springframework.expression.spel.ast.OpPlus.getValueInternal java.base/java.util.HashMap.get org.springframework.core.convert.TypeDescriptor.valueOf...

PT-2024-40646 · Spring · Spring

Name of the Vulnerable Software and Affected Versions: Spring versions affected versions not specified Description: The issue is related to a security exception in the org.springframework.expression.spel.ast.OpPlus.getValueInternal function, which is part of the Spring framework. The crash state...

ai.ancf.lmos:lmos-operator (>=0.0.4 <=0.1.0), ai.driftkit:driftkit-chat-assistant-framework (>=0.5.0 <=0.8.7) +3114 more potentially affected by CVE-2024-38819 via org.springframework:spring-webmvc (>=6.1.0 <=6.1.13)

org.springframework:spring-webmvc MAVEN version =6.1.0, =0.0.4, =0.5.0, =0.6.0, =0.5.0, =0.7.0, =0.7.0, =0.5.0, =0.7.5, =0.8.3, =0.7.0, =0.5.0, =0.5.0, =0.5.0, =cloud-0.1, =cloud-0.2.1 - ai.latta:spring =1.0 and more Source cves: CVE-2024-38819 Source advisory: OSV:GHSA-G5VR-RGQM-VF78...

be.dnsbelgium:rdap-server (>=4.0.0 <=4.0.3), be.personify.iam:personify-api (>=1.5.0.RELEASE <=1.5.2.RELEASE) +2804 more potentially affected by CVE-2024-38819 via org.springframework:spring-webmvc (>=6.0.0 <=6.0.23)

org.springframework:spring-webmvc MAVEN version =6.0.0, =4.0.0, =1.5.0.RELEASE, =1.5.1.RELEASE, =1.5.0.RELEASE, =2.1.0.RELEASE, =3.0.0, =2.10.0, =2.10.0, =2.10.0, =2.10.0, =2.10.0, =3.4.0 and more Source cves: CVE-2024-38819 Source advisory...

ai.ancf.lmos-router:lmos-router-llm-in-spring-cloud-gateway-demo (>=0.2.0 <=0.28.0), ai.ancf.lmos:arc-graphql-spring-boot-starter (>=0.1.1 <=0.112.0) +799 more potentially affected by CVE-2024-38819 via org.springframework:spring-webflux (>=6.1.0 <=6.1.13)

org.springframework:spring-webflux MAVEN version =6.1.0, =0.2.0, =0.1.1, =0.1.1, =0.0.4, =0.1.0, =0.6.0, =0.6.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =3.3.1, =1.0.0, =1.0.9 and more Source cves: CVE-2024-38819 Source advisory: OSV:GHSA-G5VR-RGQM-VF78...

africa.absa:inception-application (>=1.1.0 <=1.2.0), africa.absa:inception-test (>=1.1.0 <=1.2.0) +2753 more potentially affected by CVE-2024-38819 via org.springframework:spring-webflux (>=5.0.0.RELEASE <=5.3.39)

org.springframework:spring-webflux MAVEN version =5.0.0.RELEASE, =1.1.0, =1.1.0, =0.5.0, =0.5.0, =0.5.0, =j8.2.2.0, =0.0.1, =v0.3.12, =v0.3.12, =v0.3.12, =2.1.2.RELEASE, =4.1.36, =4.1.7, =4.7.1 - br.com.m4rc310:br-com-m4rc310-graphql =1.0.1 - br.com.m4rc310:br-com-m4rc310-libs =1.0.1 and more...

RPD:bmc-rpd (=1.1), aendter.jenkins.plugins:filesystem-list-parameter-plugin (>=0.0.1 <=0.0.6) +25413 more potentially affected by CVE-2024-38819 via org.springframework:spring-webmvc (>=1.2.1 <=5.3.39)

org.springframework:spring-webmvc MAVEN version =1.2.1, =0.0.1, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =4.4.0.0, =0.0.12, =0.1.15 and more Source cves: CVE-2024-38819 Source advisory: OSV:GHSA-G5VR-RGQM-VF78...

ai.optfor:spring-openai-api (>=0.2.2 <=0.3.25), app.boboc:webflux-websocket-coroutine (>=0.0.6 <=1.0.0) +659 more potentially affected by CVE-2024-38819 via org.springframework:spring-webflux (>=6.0.0 <=6.0.23)

org.springframework:spring-webflux MAVEN version =6.0.0, =0.2.2, =0.0.6, =0.0.6, =4.6.18, =0.14.0, =0.15.0, =0.15.0, =0.15.0, =0.15.0, =0.15.0-RC2 and more Source cves: CVE-2024-38819 Source advisory: OSV:GHSA-G5VR-RGQM-VF78...

Spring Framework Path Traversal vulnerability

Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application...

GHSA-G5VR-RGQM-VF78 Spring Framework Path Traversal vulnerability

Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application...