RHEL 7 : jasperreports-server-pro (Unpatched Vulnerability)

The remote Redhat Enterprise Linux 7 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched. - jackson-databind: Unsafe deserialization due to incomplete black list incomplete fix for CVE-2017-15095...

RHEL 7 : activemq (Unpatched Vulnerability)

The remote Redhat Enterprise Linux 7 host has one or more packages installed that are affected by a vulnerability that has been acknowledged by the vendor but will not be patched. - Spring Framework: XML External Entity XXE injection flaw CVE-2013-6429 Note that Nessus has not tested for this iss...

Exploit for Deserialization of Untrusted Data in Apache Activemq

Resumen Técnico del Ataque: CVE-2023-46604 El script explota un...

A Bootiful Podcast: Microsoft's Sandra Ahlgrimm on cloud, Java, AI, and more

Hi, Spring fans, from the amazing Spring IO conference in Barcelona, Spain! In this interview I talked to Microsoft's Sandra Ahlgrimm on all things cloud, Java, AI, and more. Also, a special and quick discussion with Spring IO founder Sergi Almar, who was last on the show in, I think, 2020!...

Atlassian Jira Service Management Data Center and Server < 5.4.20 / 5.5.x < 5.12.7 / 5.13.x < 5.15.2 Broken Access Control (JSDSERVER-15307)

The version of Atlassian Jira Service Management Data Center and Server Jira Service Desk running on the remote host is affected by a vulnerability as referenced in the JSDSERVER-15307 advisory. - In Spring Security, versions 5.7.x prior to 5.7.12, 5.8.x prior to 5.8.11, versions 6.0.x prior to...

This Week in Spring - May 27th, 2024

Hi, Spring fans! Welcome to another installment of This Week in Spring! And what a week it will be! I'm in Venice, Italy, on a little vacation, but tomorrow I begin a quick journey to beautiful Sofia, Bulgaria, where I'll be speaking at the amazing JPrime software show it's my first time speaking...

Spring Framework URL Parsing with Host Validation (CVE-2024-22243)

Applications that useUriComponentsBuilderto parse an externally provided URL e.g. through a query parameterAND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect attack or to a SSRF attack if the URL is used after passing validation checks. More at:...

lenosp 跨站脚本漏洞

Lenosp is a Spring Boot 2.0 rapid development modular scaffolding organized by Zhengzhou Programmers zzdevelop in China. A cross-site scripting vulnerability exists in lenosp 20230831 and earlier versions, which stems from a cross-site scripting XSS vulnerability in the username parameter of the...

SBOM support in Spring Boot 3.3

Spring Boot 3.3.0 has been released, and it contains support for SBOMs. SBOM stands for "Software Bill of Materials" and describes the components used to build a software artifact. In the context of this blog post, that's your Spring Boot application. These SBOMs are useful because they describe...

spring-boot: org.springframework.boot: spring-boot-actuator class vulnerable to denial of service

In Spring Boot versions 2.7.0 - 2.7.17, 3.0.0-3.0.12 and 3.1.0-3.1.5, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service DoS condition. Specifically, an application is vulnerable when all of the following are true: the application uses Spring M...

spring-security: Broken Access Control With Direct Use of AuthenticatedVoter

A broken access control flaw was found in Spring Security. Applications may be vulnerable when directly using the AuthenticatedVotervote passing a NULL authentication parameter...

springframework: URL Parsing with Host Validation

A vulnerability was discovered in Spring Framework. Under certain conditions, an attacker might be able to trigger an open redirect. This issue can simplify the process of conducting a phishing attack against users of the deployment...

PT-2024-4070 · Unknown · Spring Cloud Data Flow

Name of the Vulnerable Software and Affected Versions: Spring Cloud Data Flow affected versions not specified Description: The issue is related to improper sanitization for upload paths in the Skipper server, allowing a malicious user with access to the server API to write arbitrary files to any...

A Bootiful Podcast: Tagir Valeev, Fellow Java Champion and IntelliJ IDEA Java legend

Hi, Spring fans! In today's installment we talk to Tagir Valeev, a fellow Java Champion and IntelliJ IDEA Java legend. Also: don't forget to try out the just-released Spring Boot 3.3 release!...

springframework: URL Parsing with Host Validation

A vulnerability was found in Spring Framework. Affected versions of this package are vulnerable to an Open Redirect when using UriComponentsBuilder to parse an externally provided URL and perform validation checks on the host of the parsed URL...

This Week in Spring - May 21st, 2024

Welcome to another installment of This Week in Spring! It's been yet another amazing and exciting week and with it a bevy of new releases. And of course, in about a week's time, we will find ourselves at Spring IO, ready to show a lot of these new things. Will you be there? I will! Anyway, let's...

Deploy and Scale Spring Batch in the Cloud – with Adaptive Cost Control

May 21, 2024, at 9 AM PST You can now use Azure Spring Apps to effectively run Spring Batch applications with adaptive cost control. You only pay when batch jobs are running, and you can simply lift and shift your Spring Batch jobs with no code change. Spring Batch is a framework for processing...

Exploit for Incorrect Authorization in Vmware Spring_Security

CVE-2022-22978-demo Example code for the CVE-2022-22978 vuln...

Improper Authorization org.springframework.security:spring-security-core Dependency in Confluence Data Center and Server

This High severity org.springframework.security:spring-security-core Dependency vulnerability was introduced in versions 1.0 of Confluence Data Center and Server. This org.springframework.security:spring-security-core Dependency vulnerability, with a CVSS Score of 8.2 and a CVSS Vector of...

A Bootiful Podcast: Oleg Šelajev, Docker and Testcontainers legend

Hi, Spring and Testcontainers fans! In this interview, I talk to Oleg Šelajev...