Exploit for Code Injection in Vmware Spring_Cloud_Data_Flow

Detect vulnerabilities First, Use dnslog to detect whether CV...

This Week in Spring - October 15th, 2024

Hi, Spring fans! Welcome to another rip-roaring and ever-so-riveting installment of This Week in Spring! I'm in Amsterdam, at the moment, rounding out a week between Antwerp, Beglium, and Amsterdam, the Netherlands. Today I'm off to Dubai for the fantastic GITEX/DevSlam event. Then I return back ...

org.springframework:spring-web: Spring Framework DoS via conditional HTTP request

A flaw was found in the Spring Web org.springframework:spring-web package. Due to improper ETag prefix validation when the application parses ETags from the If-Match or If-None-Match request headers, an attacker can trigger a denial of service by sending a maliciously crafted conditional HTTP...

spring-webmvc: Path Traversal Vulnerability in Spring Applications Using RouterFunctions and FileSystemResource

A flaw was found in Spring applications using the WebMvc.fn or WebFlux.fn frameworks. This issue can allow attackers to perform path traversal attacks via crafted HTTP requests when the application serves static resources using RouterFunctions and explicitly configures resource handling with a...

Critical: Red Hat Security Advisory: Red Hat Build of Apache Camel 4.4.3 for Spring Boot security update.

Red Hat build of Apache Camel 4.4.3 for Spring Boot release and security update is now available. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for...

Exploit for Uncontrolled Resource Consumption in Siemens 6Bk1602-0Aa12-0Tp0_Firmware

TPAS Log4Shell PoC This repository contains a Proof of Concep...

This Week in Spring - October 8th, 2024

Hi, Spring fans! Welcome to another installment of This Week in Spring! I'm in Antwerp, Belgium, for the amazing Devoxx Belgium 2024 event! I am so happy to be back here, one of the best shows in the Java ecosystem! We've got a lot to get into so let's dive right in! From Spring Cloud Data Flow...

From Spring Cloud Data Flow 2.11.x to 3.0

Dear Spring Community, With the recent announcement of Spring Framework 7.0 and Spring Boot 4.0, the Spring Cloud Data Flow team is pleased to announce the next major release, SCDF 3.0, to align with both Spring Framework 7.0 and Spring Boot 4.0. This will bring the following SCDF ecosystem of...

Security Bulletin: IBM Operational Decision Manager for Sep 2024 - Multiple CVEs addressed

Summary IBM Operational Decision Manager is vulnerable to multiple remote code execution and denial of service attacks in third party and open source used in the product for various functions. See full list below. The vulnerabilities have been addressed. Vulnerability Details CVEID:CVE-2024-38808...

Security Bulletin: IBM Sterling Control Center v6.2.1 and v6.3.1 is vulnerable and reported in [All] Spring Framework.

Summary Security Bulletin: Sterling Control Center v6.2.1 and v6.3.1 is vulnerable in All Spring Framework for CVE-2024-22233 Publicly disclosed vulnerability. Vulnerability Details CVEID:CVE-2024-22233 DESCRIPTION: VMware Tanzu Spring Framework is vulnerable to a denial of service, caused by a...

Supercharging Your AI Applications with Spring AI Advisors

In the rapidly evolving world of artificial intelligence, developers are constantly seeking ways to enhance their AI applications. Spring AI, a Java framework for building AI-powered applications, has introduced a powerful feature: the Spring AI Advisors. The advisors can supercharge your AI...

From Spring Framework 6.2 to 7.0

Dear Spring community, Spring Framework 6.2 is shaping up for general availability in November 2024, with particularly significant revisions in the core container and in our web support: see "What's New in Spring Framework 6.2". This release is designed for use with JDK 17-23 and Jakarta EE 9-10...

This Week in Spring - October 1st, 2024

Hi, Spring fans! it's the first of October! We're officially in the fourth quarter of 2024! Time's moving too quickly. Way too quickly. But as always, there's awesome stuff afoot, so let's dive right in! Spring Framework lead Juergen Hoeller looks at the road ahead, to Spring Framework 6.2 and...

Exploit for CVE-2024-38816

CVE-2024-38816 Proof of Concept PoC This is a proof of conc...

AI Meets Spring Petclinic: Implementing an AI Assistant with Spring AI (Part II)

Recap of Part I In the first part of this blog series, we explored the basics of integrating Spring AI with large language models. We walked through building a custom ChatClient, leveraging Function Calling for dynamic interactions, and refining our prompts to suit the Spring Petclinic use case. ...

IceCMS Authentication Error Vulnerability

IceCMS is a content management system based on Spring Boot + Vue front-end and back-end separation . An authentication bypass vulnerability exists in IceCMS v3.4.7 and earlier versions, which stems from the inclusion of hard-coded JWT keys that can be exploited by an attacker to forge JWT...

Denial Of Service (DoS)

org.springframework,spring-web is vulnerable to Denial Of Service DoS. The vulnerability is due to improper handling of ETags from If-Match or If-None-Match request headers, allowing attackers to overwhelm the system and cause service disruption...

AI Meets Spring Petclinic: Implementing an AI Assistant with Spring AI (Part I)

Introduction In this two-parts blog post, I will discuss the modifications I made to Spring Petclinic to incorporate an AI assistant that allows users to interact with the application using natural language. Introduction to Spring Petclinic Spring Petclinic serves as the primary reference...

CVE-2024-38809

A flaw was found in the Spring Web org.springframework:spring-web package. Due to improper ETag prefix validation when the application parses ETags from the If-Match or If-None-Match request headers, an attacker can trigger a denial of service by sending a maliciously crafted conditional HTTP...

ai.optfor:spring-openai-api (>=0.1 <=0.3.25), am.ik.s3:simple-s3-client (>=0.1.0 <=0.1.1) +4163 more potentially affected by CVE-2024-38809 via org.springframework:spring-web (>=6.0.0 <=6.0.22)

org.springframework:spring-web MAVEN version =6.0.0, =0.1, =0.1.0, =0.2.3, =0.2.3, =0.0.6, =0.0.6, =4.0.0, =1.5.0.RELEASE, =1.5.1.RELEASE, =1.5.0.RELEASE, =2.1.0.RELEASE, =1.5.0.RELEASE, =3.0.0, =3.1.1 and more Source cves: CVE-2024-38809 Source advisory: OSV:GHSA-2RMJ-MQ67-H97G...