This Week in Spring - June 18th, 2024

Hi, Spring fans! Welcome to another installment of This Week in Spring! I've just come from Paris, France, and now I'm in equally beautiful Krakow, Poland, for the amazing Devoxx PL event. We've got a ton of good stuff to dive into, so let's get going! In last week's installment of Spring Tips, I...

Spring Tips: Introducing Spring Modulith

Hi, Spring fans! In this installment we look at the amazing Spring Modulith project. It's goal is to help you better structure your codebase for architectural scalability. It's an amazing and refreshing approach to building applications. Think of it like a chance to pair program on the architectu...

The vulnerability of the application programming interface of the Spring Cloud Skipper package management server allows a perpetrator to write any files they desire.

The vulnerability of the Spring Cloud Skipper package manager’s application interface involves unlimited loading of dangerous files. Exploiting this vulnerability allows a remote attacker to write any files they desire...

A Bootiful Podcast: Abdel Sghiouar, Cloud Native Developer Advocate at Google

Hi, Spring fans! Abdel Sghiouar is a senior Cloud Native Developer Advocate at Google, a co-host of the Kubernetes Podcast by Google and a CNCF Ambassador, and it was my pleasure to sit down with him at the amazing Spring IO event in Barcelona and catch up on all things Kubernetes and Google...

Security Bulletin: IBM Sterling Connect:Direct for Microsoft Windows is vulnerable to multiple issues due to VMware Tanzu Spring

Summary There are vulnerabilities in VMware Tanzu Spring Security and Framework used by Integrated Web Services in IBM Sterling Connect:Direct for Microsoft Windows. IBM Sterling Connect:Direct for Microsoft Windows has addressed the applicable CVEs. Vulnerability Details CVEID:CVE-2024-22257...

Security Bulletin: Spring vulnerability in embedded components may affect IBM Business Automation Workflow - CVE-2024-22243

Summary IBM Business Automation Workflow is vulnerable to a open redirect attack. Vulnerability Details CVEID:CVE-2024-22243 DESCRIPTION: VMware Tanzu Spring Framework could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability when using UriComponentsBuild...

This Week in Spring - June 11th, 2024

This Week in Spring - June 10th, 2024 Hi, Spring fans! Welcome to another installment of This Week in Spring! I'm in Paris, France, to talk to organizations using and working with Spring. Then, next week, it's off to Krakow, Poland, for the amazing Devoxx PL event! I can't wait. If you're around,...

SSRF (Server-Side Request Forgery) org.springframework:spring-web Dependency in Confluence Data Center and Server

This High severity org.springframework:spring-web Dependency vulnerability was introduced in versions 1.0 of Confluence Data Center and Server. This org.springframework:spring-web Dependency vulnerability, with a CVSS Score of 8.1 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N...

spring-security: Broken Access Control With Direct Use of AuthenticatedVoter

A broken access control flaw was found in Spring Security. Applications may be vulnerable when directly using the AuthenticatedVotervote passing a NULL authentication parameter...

springframework: URL Parsing with Host Validation

A flaw was found in the Spring Framework. Applications that use UriComponentsBuilder to parse an externally provided URL, for example, through a query parameter, and perform validation checks on the host of the parsed URL may be vulnerable to an open redirect attack or an SSRF attack if the URL i...

Important: Red Hat Security Advisory: Red Hat Build of Apache Camel 3.20.6 for Spring Boot security update.

Red Hat build of Apache Camel 3.20.6 for Spring Boot release and security update is now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available f...

A Bootiful Podcast: Jetbrains Developer Advocate Pasha Finkelshteyn

Hi, Spring fans! In this week's installment I talk to Jetbrains' Developer Advocate Pasha Finkelshteyn...

Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in spring-web-5.3.15.jar

Summary IBM Watson Discovery for IBM Cloud Pak for Data contains a vulnerable version of spring-web-5.3.15.jar Vulnerability Details CVEID:CVE-2024-22243 DESCRIPTION: VMware Tanzu Spring Framework could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability...

Spring Tips: Spring AI Redux

Hi, Spring fans! In this installment, brought to you with permission from the amazing Spring I/O 2024 conference event in Barcelona, Spain, I join Spring AI engineer Christian Tzolov for a keynote introducing some of the amazing new features in Spring AI. artificialintelligence ai springboot java...

This Week in Spring - June 4th, 2024

Hi, Spring fans, from London! I'm in this fabulous country doing my level-headed best to refrain from dooing Mr. Bean bits, because, honestly, if I - an avid and prolific fan of Spring and its many beans - can't be "Mr. Bean," then I'm glad Rowan Atkinson is! I'm here for a SpringOne Tour event,...

Security Bulletin: IBM MaaS360 Cloud Extender Mobile Enterprise Gateway (MEG) and VPN Module affected by multiple vulnerabilities (CVE-2024-29025, CVE-2024-22262, CVE-2023-6129, CVE-2024-0727, CVE-2024-22201, CVE-2023-6237)

Summary Vulnerabilities contained within OpenSSL a 3rd party component were addressed in the IBM MaaS360 VPN Module. Vulnerabilities contained within Netty, Spring Framework and Eclipse Jetty 3rd party components were addressed in the IBM MaaS360 Mobile Enterprise Gateway MEG Module. Vulnerabilit...

spring-security: Broken Access Control in Spring Security With Direct Use of isFullyAuthenticated

A vulnerability was found in Spring Security. This issue may lead to Broken Access Control, allowing a malicious user to impact the Confidentiality and Integrity of an application or server. This requires the application to use AuthenticationTrustResolver.isFullyAuthenticatedAuthentication direct...

Important: Red Hat Security Advisory: HawtIO 4.0.0 for Red Hat build of Apache Camel 4 Release and security update.

HawtIO 4.0.0 for Red Hat build of Apache Camel 4 GA Release is now available. The purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products. Red Hat Product Security has rated this update ...

RHEL 7 : jasperreports-server-pro (Unpatched Vulnerability)

The remote Redhat Enterprise Linux 7 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched. - jackson-databind: Unsafe deserialization due to incomplete black list incomplete fix for CVE-2017-15095...

RHEL 7 : activemq (Unpatched Vulnerability)

The remote Redhat Enterprise Linux 7 host has one or more packages installed that are affected by a vulnerability that has been acknowledged by the vendor but will not be patched. - Spring Framework: XML External Entity XXE injection flaw CVE-2013-6429 Note that Nessus has not tested for this iss...