CVE-2024-22258 CVE-2024-22258: PKCE Downgrade in Spring Authorization Server

Spring Authorization Server versions 1.0.0 - 1.0.5, 1.1.0 - 1.1.5, 1.2.0 - 1.2.2 and older unsupported versions are susceptible to a PKCE Downgrade Attack for Confidential Clients. Specifically, an application is vulnerable when a Confidential Client uses PKCE for the Authorization Code Grant. An...

Security Bulletin: IBM InfoSphere Information Server is affected by a denial of service vulnerability in Spring Framework (CVE-2023-34053)

Summary A denial of service vulnerability in Spring Framework used by IBM InfoSphere Information Server was addressed. Vulnerability Details CVEID:CVE-2023-34053 DESCRIPTION: VMware Tanzu Spring Framework is vulnerable to a denial of service, caused by a flaw when the application uses Spring MVC ...

Spring Authorization Server Security Vulnerability

VMware Spring Authorization Server is a framework for building secure OAuth 2.0 and OpenID Connect 1.0 authorization servers from VMware. A security vulnerability exists in Spring Authorization Server that stems from the vulnerability of an application to a PKCE downgrade attack when the PKCE...

Spring Tips: the Exposed ORM for Kotlin

Hi, Spring fans! In this installment we look at the Exposed Object Relational Mapper framework for Kotlin. Kotlin Java JDBC springboot...

security/shibboleth-idp -- CAS service SSRF

Shibboleth Developers report: The Identity Provider's CAS support relies on a function in the Spring Framework to parse CAS service URLs and append the ticket parameter...

The vulnerability of the AuthenticatedVoter class in the Java framework for securing industrial applications with Spring Security allows a perpetrator to gain unauthorized access to protected information.

The vulnerability of the AuthenticatedVoter class in the Java framework for securing industrial applications under Spring Security is related to deficiencies in access control when processing the null parameter. Exploiting this vulnerability can allow an attacker to gain unauthorized access to...

Hello, Java 22!

update I've since published a Spring Tips video on this very topic! If you'd prefer, you could watch that instead. Hi, Spring fans! Happy Java 22 release day, to those who celebrate! Did you get the bits already? Go, go, go! Java 22 is a significant improvement that I think is a worthy upgrade fo...

PT-2024-19292 · Spring · Spring Authorization Server

Name of the Vulnerable Software and Affected Versions: Spring Authorization Server versions 1.0.0 through 1.0.5 Spring Authorization Server versions 1.1.0 through 1.1.5 Spring Authorization Server versions 1.2.0 through 1.2.2 Spring Authorization Server older unsupported versions Description: The...

This Week in Spring - March 19th, 2024

Hi, Spring fans! And happy Java 22 release day to those who celebrate! I just put out a huge blog detailing many of the exciting new features in Java 22. Check it out! As usual, we've got a packed roundup to get through this week so let's dive right into it! the Spring Authorization Server 1.3.0-...

Token Exchange support in Spring Security 6.3.0-M3

I'm excited to share that the there will be support for the OAuth 2.0 Token Exchange Grant RFC 8693 in Spring Security 6.3, which is available for preview now in the latest milestone 6.3.0-M3. This support provides the ability to use Token Exchange with OAuth2 Client. Similarly, server-side suppo...

CVE-2024-22257

A broken access control flaw was found in Spring Security. Applications may be vulnerable when directly using the AuthenticatedVotervote passing a NULL authentication parameter. Mitigation Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to...

cn.sparrowmini:sparrow-org-service (=0.0.1), cn.sparrowmini:sparrow-pem-service (=0.0.1) +435 more potentially affected by CVE-2024-22257 via org.springframework.security:spring-security-core (>=5.8.0 <=5.8.10)

org.springframework.security:spring-security-core MAVEN version =5.8.0, =1.48.0, =1.48.0, =1.48.0, =2.4.0, =2.4.0, =2.4.0, =3.7.0, =3.7.0, =3.7.0, =3.7.0, =1.3.1, =1.3.2 - com.gitlab.summer-cattle:cattle-addons-wechat-starter =0.0.5 - com.gitlab.summer-cattle:cattle-commons-web-mvc =0.0.6 and mor...

africa.absa:inception-api (>=1.0.0 <=1.2.0), africa.absa:inception-codes-api (>=1.0.0 <=1.2.0) +9246 more potentially affected by CVE-2024-22257 via org.springframework.security:spring-security-core (>=2.0.0 <=5.7.11)

org.springframework.security:spring-security-core MAVEN version =2.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =4.4.0.0, =0.1.8, =0.1.6, =0.1.7 and more Source cves: CVE-2024-22257 Source advisory: OSV:GHSA-F3JH-QVM4-MG39...

Erroneous authentication pass in Spring Security

In Spring Security, versions 5.7.x prior to 5.7.12, 5.8.x prior to 5.8.11, versions 6.0.x prior to 6.0.9, versions 6.1.x prior to 6.1.8, versions 6.2.x prior to 6.2.3, an application is possible vulnerable to broken access control when it directly uses the AuthenticatedVotervote passing a null...

app.valuationcontrol:library (>=0.5.2 <=0.5.6), app.valuationcontrol:webservice (>=0.5.0 <=0.5.1) +1433 more potentially affected by CVE-2024-22257 via org.springframework.security:spring-security-core (>=6.2.0 <=6.2.2)

org.springframework.security:spring-security-core MAVEN version =6.2.0, =0.5.2, =0.5.0, =7.0.0, =1.0.0, =v1.0.26, =1.0.18, =1.0.2, =1.0.2, =1.0.11, =3.2.0.0, =3.2.0.0, =3.2.0.0, =3.2.0.0, =3.2.2.2 and more Source cves: CVE-2024-22257 Source advisory: OSV:GHSA-F3JH-QVM4-MG39...

be.jidoka:jdk-keycloak-admin (>=2.0.0 <=2.2.0), be.personify.iam:personify-frontend (>=1.5.1.RELEASE <=1.5.2.RELEASE) +1605 more potentially affected by CVE-2024-22257 via org.springframework.security:spring-security-core (>=6.0.0 <=6.1.7)

org.springframework.security:spring-security-core MAVEN version =6.0.0, =2.0.0, =1.5.1.RELEASE, =1.1.0, =1.1.0, =1.1.4.2, =1.1.5 - cc.vihackerframework:vihacker-auth-starter =1.0.8.R - cc.vihackerframework:vihacker-common-starter =1.0.8.R - cc.vihackerframework:vihacker-log-starter =1.0.8.R -...

GHSA-F3JH-QVM4-MG39 Erroneous authentication pass in Spring Security

In Spring Security, versions 5.7.x prior to 5.7.12, 5.8.x prior to 5.8.11, versions 6.0.x prior to 6.0.9, versions 6.1.x prior to 6.1.8, versions 6.2.x prior to 6.2.3, an application is possible vulnerable to broken access control when it directly uses the AuthenticatedVotervote passing a null...

CVE-2024-22257

In Spring Security, versions 5.7.x prior to 5.7.12, 5.8.x prior to 5.8.11, versions 6.0.x prior to 6.0.9, versions 6.1.x prior to 6.1.8, versions 6.2.x prior to 6.2.3, an application is possible vulnerable to broken access control when it directly uses the AuthenticatedVotervote passing a null...

CVE-2024-22257

In Spring Security, versions 5.7.x prior to 5.7.12, 5.8.x prior to 5.8.11, versions 6.0.x prior to 6.0.9, versions 6.1.x prior to 6.1.8, versions 6.2.x prior to 6.2.3, an application is possible vulnerable to broken access control when it directly uses the AuthenticatedVotervote passing a null...

CVE-2024-22257

In Spring Security, versions 5.7.x prior to 5.7.12, 5.8.x prior to 5.8.11, versions 6.0.x prior to 6.0.9, versions 6.1.x prior to 6.1.8, versions 6.2.x prior to 6.2.3, an application is possible vulnerable to broken access control when it directly uses the AuthenticatedVotervote passing a null...