A Bootiful Podcast: Spring founders Rod Johnson and Juergen Hoeller on the 20th Anniversary of Spring Framework 1.0

Hi, Spring fans! In this episode, more than 20 incredible years in the making, Spring founders Rod Johnson @springrod and Juergen Hoeller @springjuergen discuss Spring since its 1.0 release in 2004...

Security Bulletin: IBM Spectrum Symphony with spring-security-config is vulnerable to Incorrect Permission Assignment for Critical Resource

Summary IBM Spectrum Symphony with spring-security-config is vulnerable to Incorrect Permission Assignment for Critical Resource Vulnerability Details CVEID:CVE-2023-34042 DESCRIPTION: VMware Tanzu Spring Security could allow a local authenticated attacker to bypass security restrictions, caused ...

Security Bulletin: IBM Spectrum Conductor with spring-security-config is vulnerable to Incorrect Permission Assignment for Critical Resource

Summary IBM Spectrum Conductor with spring-security-config is vulnerable to Incorrect Permission Assignment for Critical Resource Vulnerability Details CVEID:CVE-2023-34042 DESCRIPTION: VMware Tanzu Spring Security could allow a local authenticated attacker to bypass security restrictions, caused...

Spring Tips: GRPC

Hi, Spring fans! In this installment, we look at how to create GRPC-based services with Spring Boot...

VulnCheck KEV: CVE-2024-28254

OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. The ‎AlertUtil::validateExpression method evaluates an SpEL expression using getValue which by default uses the...

CVE-2024-22262

A flaw was found in the Spring Framework. Applications that use UriComponentsBuilder to parse an externally provided URL, for example, through a query parameter, and perform validation checks on the host of the parsed URL may be vulnerable to an open redirect attack or an SSRF attack if the URL i...

ai.ancf.lmos-router:lmos-router-llm-in-spring-cloud-gateway-demo (=0.28.0), ai.ancf.lmos:arc-graphql-spring-boot-starter (>=0.1.1 <=0.112.0) +8651 more potentially affected by CVE-2024-22262 via org.springframework:spring-web (>=6.1.0 <=6.1.5)

org.springframework:spring-web MAVEN version =6.1.0, =0.1.1, =0.1.1, =0.0.4, =0.1.0, =0.1.0, =0.5.0, =0.6.0, =0.6.0, =0.5.0, =0.6.0, =0.6.0, =0.5.0, =0.7.0, =0.7.0, =0.8.7 and more Source cves: CVE-2024-22262 Source advisory: OSV:GHSA-2WRP-6FG6-HMC5...

ai.optfor:spring-openai-api (>=0.1 <=0.3.25), am.ik.s3:simple-s3-client (>=0.1.0 <=0.1.1) +3858 more potentially affected by CVE-2024-22262 via org.springframework:spring-web (>=6.0.0 <=6.0.18)

org.springframework:spring-web MAVEN version =6.0.0, =0.1, =0.1.0, =0.2.3, =0.2.3, =4.0.0, =1.5.0.RELEASE, =1.5.1.RELEASE, =1.5.0.RELEASE, =2.1.0.RELEASE, =1.5.0.RELEASE, =1.5.2.RELEASE - be.tomcools:rickroll-security-spring-boot-starter =3.1.1 -...

GHSA-2WRP-6FG6-HMC5 Spring Framework URL Parsing with Host Validation

Applications that use UriComponentsBuilder to parse an externally provided URL e.g. through a query parameter AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is...

Spring Framework URL Parsing with Host Validation

Applications that use UriComponentsBuilder to parse an externally provided URL e.g. through a query parameter AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is...

ColumnPack:ColumnPack-plugin (=1.0.3), CustomHistory:CustomHistory (>=1.1 <=1.3) +36817 more potentially affected by CVE-2024-22262 via org.springframework:spring-web (>=1.2.1 <=5.3.33)

org.springframework:spring-web MAVEN version =1.2.1, =1.1, =0.0.1, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.2.0 and more Source cves: CVE-2024-22262 Source advisory: OSV:GHSA-2WRP-6FG6-HMC5...

CVE-2024-22262

Applications that use UriComponentsBuilder to parse an externally provided URL e.g. through a query parameter AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is...

CVE-2024-22262 CVE-2024-22262: Spring Framework URL Parsing with Host Validation

Applications that use UriComponentsBuilder to parse an externally provided URL e.g. through a query parameter AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is...

CVE-2024-22262 CVE-2024-22262: Spring Framework URL Parsing with Host Validation

Applications that use UriComponentsBuilder to parse an externally provided URL e.g. through a query parameter AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is...

Spring Framework 安全漏洞

Spring Framework is a set of open source Java, JavaEE application frameworks from the U.S. Spring team. The framework helps developers build high-quality applications. Spring Framework has a security vulnerability that stems from vulnerability to open redirection attacks or server-side request...

Spring Expression DoS Vulnerability (CVE-2023-20861)

In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service DoS condition...

This Week in Spring - April 16th, 2024

Hi, Spring fans! Welcome to another installment of This Week in Spring! I'm writing this from beautiful Paris, France, ahead of the amazing Devoxx France event. I've come to almost all of these events over the years. It's hard to believe it's been more than a decade since the show was first...

Spring Expression DoS Vulnerability (CVE-2023-20863)

In Spring Framework versions 6.0.0 - 6.0.7, 5.3.0 - 5.3.26, 5.2.0.RELEASE - 5.2.23.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service DoS condition...

SQL Injection Vulnerability in SpringBlade of Shanghai Breadtech Co.

SpringBlade is a microservice architecture upgraded and optimized from a commercial-grade project, built with core technologies such as Spring Boot 2.5 and Spring Cloud 2020, and fully following Alibaba coding standards. Ltd. SpringBlade exists SQL injection vulnerability, attackers can use the...

Spring Framework 6.2.0-M1: Overriding Beans in Tests

Spring Framework 6.2.0-M1 has been released, including changes that resolve more than one hundred issues. Among those are a range of new features in Spring's testing support. In this post, I’d like to walk you through one of these new testing features: Bean Overriding support. The previous state ...