Security Bulletin: Vulnerability in VMware Tanzu Spring Framework affects IBM Process Mining CVE-2023-34053

Summary There is a vulnerability in VMware Tanzu Spring Framework that could allow an remote attacker to cause a denial of service on the system. The code is used by IBM Process Mining. This bulletin identifies the security fixes to apply to address the vulnerability. Vulnerability Details...

A Bootiful Podcast: Joseph Ottinger and Andrew Lombardi on "Beginning Spring 6"

Hi, Spring fans! In this episode I'm joined by Java luminaries and Apress' Beginning Spring 6 authors Joseph Ottinger and Andrew Lombardi...

Shanghai Brad Technology BladeX SQL注入漏洞

Shanghai Brad Technology BladeX is a SpringBoot Rapid Development Platform from Shanghai Brad Technology Shanghai, China. A SQL injection vulnerability exists in Shanghai Brad Technology BladeX version 3.4.0, which originates from a SQL injection vulnerability in file/api/blade-user/export-user...

This Week in Spring - March 26th, 2024

Hi, Spring fans! Welcome to another installment of This Week in Spring! Sam Brannen shares some good news: a null-safe Index operator for the Spring Expression Language SpEL is coming to Spring Framework 6.2! This is interesting, and a nice application of AI do I even need to spell out "artificia...

Security Bulletin: Vulnerability in Spring Data MongoDB might affect IBM Storage Copy Data Management. [CVE-2022-22980]

Summary IBM Storage Copy Data Management can be affected by a vulnerability in Spring Data MongoDB. A remote attacker could exploit this vulnerability to execute arbitrary code on the system as described by the CVEs in the "Vulnerability Details" section. Vulnerability Details CVEID:CVE-2022-2298...

Reflectionless Templates With Spring

A few Java libraries have shown up recently that use text templates, but compile to Java classes at build time. They can thus claim to some extent to be "reflection free". Together with potential benefits of runtime performance, they promise to be easy to use and integrate with GraalVM native ima...

FreeBSD : security/shibboleth-idp -- CAS service SSRF (7a7129ef-e790-11ee-a1c0-0050569f0b83)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 7a7129ef-e790-11ee-a1c0-0050569f0b83 advisory. - Shibboleth Developers report: The Identity Provider's CAS support relies on a function in the Spring...

PKCE Downgrade Attack

spring-security-oauth2-authorization-server is vulnerable to PKCE Downgrade. The vulnerability is due to improper handling of PKCE authorization when a Confidential Client requests an Authorization Code Grant. Note that this vulnerability only applies to Confidential Clients, Public Clients are...

SQL injection in Folio Spring Module Core

A vulnerability was found in Folio Spring Module Core before 2.0.0. Affected by this issue is the function dropSchema of the file tenant/src/main/java/org/folio/spring/tenant/hibernate/HibernateSchemaService.java of the component Schema Name Handler. The manipulation leads to sql injection...

GHSA-4H5H-P23F-HJQF SQL injection in Folio Spring Module Core

A vulnerability was found in Folio Spring Module Core before 2.0.0. Affected by this issue is the function dropSchema of the file tenant/src/main/java/org/folio/spring/tenant/hibernate/HibernateSchemaService.java of the component Schema Name Handler. The manipulation leads to sql injection...

CVE-2022-4963

A vulnerability was found in Folio Spring Module Core up to 1.1.5. It has been rated as critical. Affected by this issue is the function dropSchema of the file tenant/src/main/java/org/folio/spring/tenant/hibernate/HibernateSchemaService.java of the component Schema Name Handler. The manipulation...

CVE-2022-4963

A vulnerability was found in Folio Spring Module Core up to 1.1.5. It has been rated as critical. Affected by this issue is the function dropSchema of the file tenant/src/main/java/org/folio/spring/tenant/hibernate/HibernateSchemaService.java of the component Schema Name Handler. The manipulation...

Spring Module Core SQL注入漏洞

Spring Module Core is a FOLIO open source Spring Module Core library developed using Okapi. Spring Module Core version 1.1.5 SQL injection vulnerability , the vulnerability stems from the component Schema Name Handler function dropSchema will lead to SQL injection...

Security Bulletin: Vulnerabilities in Spring, Tomcat, Jackson, sudo, and Linux kernel can affect IBM Spectrum Protect Plus

Summary IBM Spectrum Protect Plus can be affected by vulnerabilities in Spring, Tomcat, Jackson, sudo, and Linux kernel. Vulnerabilities include obtaining sensitive information, gaining elevated privileges, executing arbitrary commands, denial of service, and bypassing security restrictions, as...

CVE-2022-4963 Folio Spring Module Core Schema Name HibernateSchemaService.java dropSchema sql injection

A vulnerability was found in Folio Spring Module Core up to 1.1.5. It has been rated as critical. Affected by this issue is the function dropSchema of the file tenant/src/main/java/org/folio/spring/tenant/hibernate/HibernateSchemaService.java of the component Schema Name Handler. The manipulation...

CVE-2022-4963

CVE-2022-4963 affects Folio Spring Module Core up to version 1.1.5. The vulnerability is a SQL injection in the dropSchema function of HibernateSchemaService.java (Schema Name Handler). Root cause: improper handling in dropSchema leads to injection risk. Upgrading to version 2.0.0 addresses the i...

CVE-2022-4963 Folio Spring Module Core Schema Name HibernateSchemaService.java dropSchema sql injection

A vulnerability was found in Folio Spring Module Core up to 1.1.5. It has been rated as critical. Affected by this issue is the function dropSchema of the file tenant/src/main/java/org/folio/spring/tenant/hibernate/HibernateSchemaService.java of the component Schema Name Handler. The manipulation...

GHSA-X637-X8P3-5P22 Improper Authentication in Spring Authorization Server

Spring Authorization Server versions 1.0.0 - 1.0.5, 1.1.0 - 1.1.5, 1.2.0 - 1.2.2 and older unsupported versions are susceptible to a PKCE Downgrade Attack for Confidential Clients. Specifically, an application is vulnerable when a Confidential Client uses PKCE for the Authorization Code Grant. An...

cn.com.tltim.pigx:pigx-common-security (=5.0.0-20240820), cn.com.tltim.pigx:pigx-common-websocket (=5.0.0-20240820) +46 more potentially affected by CVE-2024-22258 via org.springframework.security:spring-security-oauth2-authorization-server (>=0.2.0 <=1.1.5)

org.springframework.security:spring-security-oauth2-authorization-server MAVEN version =0.2.0, =0.0.1-alpha.1, =3.1.5.2, =2.7.7.3, =2.7.7.4, =2.7.0.0, =2.7.0.0, =2.7.1.2, =2.7.0.0, =3.0.6.4, =2023.0.0.2-alpha.1, =2023.0.0.2-alpha.2 - com.github.paganini2008.doodler:doodler-common-oauth =1.0.0-bet...

cn.herodotus.engine:oauth2-authorization-server-autoconfigure (>=3.2.0.0 <=3.2.2.2), cn.herodotus.engine:oauth2-sdk-authentication (>=3.2.0.0 <=3.2.2.2) +9 more potentially affected by CVE-2024-22258 via org.springframework.security:spring-security-oauth2-authorization-server (>=1.2.0 <=1.2.2)

org.springframework.security:spring-security-oauth2-authorization-server MAVEN version =1.2.0, =3.2.0.0, =3.2.0.0, =3.2.0.0, =3.2.0.0, =3.0.0, =3.0.0, =2.0.0, =1.5.0, =2.0.0, =1.0.0-beta2, =3.2.0, =3.2.3 Source cves: CVE-2024-22258 Source advisory: OSV:GHSA-X637-X8P3-5P22...