CVE-2024-29466

Directory Traversal vulnerability in lsgwr spring boot online exam v.0.9 allows an attacker to execute arbitrary code via the FileTransUtil.java component...

This Week in Spring - April 30th, 2024

Welcome to yet another amazing installment of This Week in Spring! As usual, we've got a ton of stuff to get into, so let's dive right into it! Chris Bono announces the new versions of Spring Functions Catalog and Spring Cloud Streams Applications In last week's installment of A Bootiful Podcast,...

Spring Tips: Spring Cloud Gateway for Spring MVC

Hi, Spring fans! In this installment, we revisit Spring Cloud Gateway, this time to look at the fantastic new support for Spring MVC, made all the more amazing by Java 21's virtual threads...

spring boot online exam 安全漏洞

Online Exam System is an online exam system by orotnom23 individual developers. A security vulnerability exists in spring boot online exam version v.0.9. An attacker can exploit this vulnerability to execute arbitrary code via the FileTransUtil.java component...

CVE-2024-29466

Directory Traversal vulnerability in lsgwr spring boot online exam v.0.9 allows an attacker to execute arbitrary code via the FileTransUtil.java component...

RHEL 8 : jenkins and jenkins-2-plugins (RHSA-2023:3622)

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:3622 advisory. Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cro...

RHEL 7 / 8 : OpenShift Container Platform 4.10.56 (RHSA-2023:1655)

The remote Redhat Enterprise Linux 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:1655 advisory. Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or...

A Bootiful Podcast: Daniel Garnier-Moiroux on Passkeys and Spring Security

Hi, Spring fans! In this installment, I talk to my friend and colleague Daniel Garnier-Moiroux about the amazing awesome implications of passkeys in a Spring Security application...

Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to phishing attacks in VMware Tanzu Spring Framework [CVE-2024-22243]

Summary IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to phishing attacks in VMware Tanzu Spring Framework, caused by an open redirect vulnerability when using UriComponentsBuilder to parse an externally provided URL CVE-2024-22243. VMware Tanzu Spring Framework is...

GHSA-8P5R-6MVV-2435 OpenMetadata vulnerable to a SpEL Injection in `PUT /api/v1/events/subscriptions` (`GHSL-2023-251`)

SpEL Injection in PUT /api/v1/events/subscriptions GHSL-2023-251 Please note, only authenticated users have access to PUT / POST APIS for /api/v1/policies. Non authenticated users will not be able to access these APIs to exploit the vulnerability. A user must exist in OpenMetadata and have...

Exploit for Deserialization of Untrusted Data in Vmware Spring_For_Apache_Kafka

CVE-2023-34040 This PoC is cloned...

This Week in Spring - Tuesday, April 23rd, 2024

Hi, Spring fans! Welcome to another installment of This Week in Spring! We've had a really busy, wonderful week, as always, so let's dive right into it! We want you! ...to submit a talk to SpringOne 2024, in sunny Las Vegas! Hurry, the CFP closes May 3rd! Spring Shell 3.1.11, 3.2.4, and 3.3.0-m1...

The vulnerability of the UriComponentsBuilder component in the Spring Framework’s URL analysis mechanism allows attackers to perform SSRF attacks.

The vulnerability of the UriComponentsBuilder component in the Spring Framework’s URL analysis module exists due to insufficient validation of data entered by users. Exploiting this vulnerability could allow a malicious actor to perform an SSRF attack remotely...

The vulnerability of the Java framework for securing industrial applications using Spring Security lies in the incomplete cleanup of temporary or auxiliary resources. This allows attackers to access confidential data or cause service failures.

The vulnerability of the Java framework for securing industrial applications using Spring Security is related to incomplete cleanup of temporary or auxiliary resources. Exploiting this vulnerability allows an attacker operating remotely to gain access to confidential data or cause service failure...

Security Bulletin: IBM Observability with Instana for Synthetic PoP is affected by Multiple Security Vulnerabilities

Summary Multiple vulnerabilities were addressed in IBM Observability with Instana for Synthetic PoP build 271 Vulnerability Details CVEID:CVE-2024-22259 DESCRIPTION: VMware Tanzu Spring Framework could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability i...

Open Redirect

org.springframework: spring-web is vulnerable Open Redirect. The vulnerability is caused due to improper validation checks on the host of the parsed URL, which could lead to potential SSRF attacks if the URL is utilized post-validation...

Improper Authorization org.springframework.security:spring-security-core Dependency in Jira Software Data Center and Server

This High severity org.springframework.security:spring-security-core Dependency vulnerability was introduced in versions 9.0.0, 9.1.0, 9.2.0, 9.3.0, 9.4.0, 9.5.0, 9.6.0, 9.7.0, 9.8.0, 9.9.0, 9.10.0, 9.11.0, 9.12.0, 9.13.0, 9.14.0, and 9.15.0 of Jira Software Data Center and Server. This...

A Bootiful Podcast: Spring founders Rod Johnson and Juergen Hoeller on the 20th Anniversary of Spring Framework 1.0

Hi, Spring fans! In this episode, more than 20 incredible years in the making, Spring founders Rod Johnson @springrod and Juergen Hoeller @springjuergen discuss Spring since its 1.0 release in 2004...

Security Bulletin: IBM Spectrum Symphony with spring-security-config is vulnerable to Incorrect Permission Assignment for Critical Resource

Summary IBM Spectrum Symphony with spring-security-config is vulnerable to Incorrect Permission Assignment for Critical Resource Vulnerability Details CVEID:CVE-2023-34042 DESCRIPTION: VMware Tanzu Spring Security could allow a local authenticated attacker to bypass security restrictions, caused ...

Security Bulletin: IBM Spectrum Conductor with spring-security-config is vulnerable to Incorrect Permission Assignment for Critical Resource

Summary IBM Spectrum Conductor with spring-security-config is vulnerable to Incorrect Permission Assignment for Critical Resource Vulnerability Details CVEID:CVE-2023-34042 DESCRIPTION: VMware Tanzu Spring Security could allow a local authenticated attacker to bypass security restrictions, caused...