VulnCheck KEV: CVE-2024-38816

Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application...

VMware Spring Framework 5.3.0 < 5.3.41, 6.0.x < 6.0.25, 6.1.x < 6.1.14 Multiple Vulnerabilities - Windows

The VMware Spring Framework is prone to multiple vulnerabilities. SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE =...

Leverage the Power of 45k, free, Hugging Face Models with Spring AI and Ollama

This blog post is co-authored by our great contributor Thomas Vitale. Ollama now supports all GGUF models from Hugging Face , allowing access to over 45,000 community-created models through Spring AI's Ollama integration, runnable locally. We'll explore using this new feature with Spring AI. The...

This Week in Spring - October 22nd, 2024

Hi, Spring fans! Welcome to another installment of This Week in Spring. I write this to you in an Uber speeding down the autobahn near Frankfurt, Germany. What a time to be alive! At the rate this driver's going, I won't have much time to write this before we've arrived, so let's dive right into...

VMware Spring Framework 5.3.0 < 5.3.41, 6.0.x < 6.0.25, 6.1.x < 6.1.14 Multiple Vulnerabilities - Linux

The VMware Spring Framework is prone to multiple vulnerabilities. SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE =...

ColumnPack:ColumnPack-plugin (=1.0.3), CustomHistory:CustomHistory (>=1.1 <=1.3) +37113 more potentially affected by CVE-2024-38820 via org.springframework:spring-web (>=1.2.1 <=5.3.4)

org.springframework:spring-web MAVEN version =1.2.1, =1.1, =0.0.1, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.2.0 and more Source cves: CVE-2024-38820 Source advisory: OSV:GHSA-4GC7-5J7H-4QPH...

Spring Framework DataBinder Case Sensitive Match Exception

The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase has some Locale dependent exceptions that could potentially result in fields not protected as expected...

GHSA-4GC7-5J7H-4QPH Spring Framework DataBinder Case Sensitive Match Exception

The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase has some Locale dependent exceptions that could potentially result in fields not protected as expected...

ai.ancf.lmos:arc-graphql-spring-boot-starter (>=0.1.1 <=0.112.0), ai.ancf.lmos:arc-memory-mongo-spring-boot-starter (>=0.1.1 <=0.112.0) +8259 more potentially affected by CVE-2024-38820 via org.springframework:spring-context (>=6.1.0 <=6.1.13)

org.springframework:spring-context MAVEN version =6.1.0, =0.1.1, =0.1.1, =0.1.1, =0.1.1, =0.0.4, =0.1.0, =0.5.0, =0.5.0, =0.5.0, =0.5.8, =0.5.0, =0.5.7, =0.5.0, =0.6.0, =0.6.0, =0.8.7 and more Source cves: CVE-2024-38820 Source advisory: OSV:GHSA-4GC7-5J7H-4QPH...

ai.ancf.lmos:arc-graphql-spring-boot-starter (>=0.1.1 <=0.112.0), ai.ancf.lmos:arc-runner (>=0.1.1 <=0.112.0) +4756 more potentially affected by CVE-2024-38820 via org.springframework:spring-web (>=6.1.0 <=6.1.13)

org.springframework:spring-web MAVEN version =6.1.0, =0.1.1, =0.1.1, =0.0.4, =0.1.0, =0.5.0, =0.6.0, =0.6.0, =0.5.0, =0.6.0, =0.6.0, =0.5.0, =0.7.0, =0.7.0, =0.5.0, =0.7.5, =0.8.7 and more Source cves: CVE-2024-38820 Source advisory: OSV:GHSA-4GC7-5J7H-4QPH...

ai.optfor:spring-openai-api (>=0.1 <=0.3.25), am.ik.s3:simple-s3-client (>=0.1.0 <=0.1.1) +4169 more potentially affected by CVE-2024-38820 via org.springframework:spring-web (>=6.0.0 <=6.0.23)

org.springframework:spring-web MAVEN version =6.0.0, =0.1, =0.1.0, =0.2.3, =0.2.3, =0.0.6, =0.0.6, =4.6.18, =4.0.0, =1.5.0.RELEASE, =1.5.1.RELEASE, =1.5.0.RELEASE, =2.1.0.RELEASE, =1.5.0.RELEASE, =1.5.2.RELEASE and more Source cves: CVE-2024-38820 Source advisory: OSV:GHSA-4GC7-5J7H-4QPH...

ai.optfor:spring-openai-api (>=0.1.3 <=0.3.25), ai.timefold.solver:timefold-solver-spring-boot-autoconfigure (>=1.0.0 <=1.4.0) +7517 more potentially affected by CVE-2024-38820 via org.springframework:spring-context (>=6.0.0 <=6.0.23)

org.springframework:spring-context MAVEN version =6.0.0, =0.1.3, =1.0.0, =1.0.0, =0.1.6, =0.0.2, =0.0.6, =0.0.6, =1.3.0, =4.6.18, =4.0.0, =1.0.0, =2.1.0.RELEASE, =2.1.2.RELEASE and more Source cves: CVE-2024-38820 Source advisory: OSV:GHSA-4GC7-5J7H-4QPH...

CVE-2024-38820

The CVE-2024-38820 issue concerns Spring Framework DataBinder: lowercase conversion for disallowedFields and request parameter names was made locale-independent, but locale-dependent edge cases in String.toLowerCase() can still bypass the checks. Affected products/versions from linked advisories ...

CVE-2024-38820 CVE-2024-38820: Spring Framework DataBinder Case Sensitive Match Exception

The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase has some Locale dependent exceptions that could potentially result in fields not protected as expected...

CVE-2024-38820 CVE-2024-38820: Spring Framework DataBinder Case Sensitive Match Exception

The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase has some Locale dependent exceptions that could potentially result in fields not protected as expected...

VMware Spring Framework 安全漏洞

VMware Spring Framework is a set of open source Java, JavaEE application frameworks from VMware. The framework helps developers build high-quality applications. A security vulnerability exists in VMware Spring Framework that stems from case-sensitive matching exceptions that could cause fields to...

PT-2024-28233 · Vmware +1 · Vmware Spring +1

Name of the Vulnerable Software and Affected Versions: VMware Spring versions prior to 6.1.13 Description: The issue concerns improper access controls via DataBinder and String.toLowerCase, which has locale-dependent exceptions. This could result in fields not being protected as expected,...

PT-2024-7362

Name of the Vulnerable Software and Affected Versions: Spring Framework versions prior to 5.3.41 Spring Framework versions prior to 6.0.25 Spring Framework versions prior to 6.1.14 Confluence Data Center and Server versions 3.0 through 9.1.0 Confluence Data Center and Server version 9.1 Bitbucket...

VMware Spring Framework 安全漏洞

VMware Spring Framework is a set of open source Java, JavaEE application frameworks from VMware. The framework helps developers build high-quality applications. A security vulnerability exists in VMware Spring Framework. An attacker can exploit the vulnerability to read files outside of the servi...

Exploit for Code Injection in Vmware Spring_Cloud_Data_Flow

Use dnslog to detect whether CVE-2024-37084 vulnerability exi...