CVE-2022-4963 Folio Spring Module Core Schema Name HibernateSchemaService.java dropSchema sql injection

A vulnerability was found in Folio Spring Module Core up to 1.1.5. It has been rated as critical. Affected by this issue is the function dropSchema of the file tenant/src/main/java/org/folio/spring/tenant/hibernate/HibernateSchemaService.java of the component Schema Name Handler. The manipulation...

CVE-2022-4963

CVE-2022-4963 affects Folio Spring Module Core up to version 1.1.5. The vulnerability is a SQL injection in the dropSchema function of HibernateSchemaService.java (Schema Name Handler). Root cause: improper handling in dropSchema leads to injection risk. Upgrading to version 2.0.0 addresses the i...

CVE-2022-4963 Folio Spring Module Core Schema Name HibernateSchemaService.java dropSchema sql injection

A vulnerability was found in Folio Spring Module Core up to 1.1.5. It has been rated as critical. Affected by this issue is the function dropSchema of the file tenant/src/main/java/org/folio/spring/tenant/hibernate/HibernateSchemaService.java of the component Schema Name Handler. The manipulation...

GHSA-X637-X8P3-5P22 Improper Authentication in Spring Authorization Server

Spring Authorization Server versions 1.0.0 - 1.0.5, 1.1.0 - 1.1.5, 1.2.0 - 1.2.2 and older unsupported versions are susceptible to a PKCE Downgrade Attack for Confidential Clients. Specifically, an application is vulnerable when a Confidential Client uses PKCE for the Authorization Code Grant. An...

cn.com.tltim.pigx:pigx-common-security (=5.0.0-20240820), cn.com.tltim.pigx:pigx-common-websocket (=5.0.0-20240820) +46 more potentially affected by CVE-2024-22258 via org.springframework.security:spring-security-oauth2-authorization-server (>=0.2.0 <=1.1.5)

org.springframework.security:spring-security-oauth2-authorization-server MAVEN version =0.2.0, =0.0.1-alpha.1, =3.1.5.2, =2.7.7.3, =2.7.7.4, =2.7.0.0, =2.7.0.0, =2.7.1.2, =2.7.0.0, =3.0.6.4, =2023.0.0.2-alpha.1, =2023.0.0.2-alpha.2 - com.github.paganini2008.doodler:doodler-common-oauth =1.0.0-bet...

cn.herodotus.engine:oauth2-authorization-server-autoconfigure (>=3.2.0.0 <=3.2.2.2), cn.herodotus.engine:oauth2-sdk-authentication (>=3.2.0.0 <=3.2.2.2) +9 more potentially affected by CVE-2024-22258 via org.springframework.security:spring-security-oauth2-authorization-server (>=1.2.0 <=1.2.2)

org.springframework.security:spring-security-oauth2-authorization-server MAVEN version =1.2.0, =3.2.0.0, =3.2.0.0, =3.2.0.0, =3.2.0.0, =3.0.0, =3.0.0, =2.0.0, =1.5.0, =2.0.0, =1.0.0-beta2, =3.2.0, =3.2.3 Source cves: CVE-2024-22258 Source advisory: OSV:GHSA-X637-X8P3-5P22...

Improper Authentication in Spring Authorization Server

Spring Authorization Server versions 1.0.0 - 1.0.5, 1.1.0 - 1.1.5, 1.2.0 - 1.2.2 and older unsupported versions are susceptible to a PKCE Downgrade Attack for Confidential Clients. Specifically, an application is vulnerable when a Confidential Client uses PKCE for the Authorization Code Grant. An...

Server Side Request Forgery (SSRF)

org.springframework:spring-web is vulnerable to Open Redirect. The vulnerability is due to insufficient validation checks of the host URL within UriComponentsBuilder.java. If an application utilizes the host validation checks, an attacker can perform an open redirect or Server-Side Request Forger...

CVE-2024-22258

Spring Authorization Server versions 1.0.0 - 1.0.5, 1.1.0 - 1.1.5, 1.2.0 - 1.2.2 and older unsupported versions are susceptible to a PKCE Downgrade Attack for Confidential Clients. Specifically, an application is vulnerable when a Confidential Client uses PKCE for the Authorization Code Grant. An...

CVE-2024-22258

Spring Authorization Server versions 1.0.0 - 1.0.5, 1.1.0 - 1.1.5, 1.2.0 - 1.2.2 and older unsupported versions are susceptible to a PKCE Downgrade Attack for Confidential Clients. Specifically, an application is vulnerable when a Confidential Client uses PKCE for the Authorization Code Grant. An...

UBUNTU-CVE-2024-22258

Spring Authorization Server versions 1.0.0 - 1.0.5, 1.1.0 - 1.1.5, 1.2.0 - 1.2.2 and older unsupported versions are susceptible to a PKCE Downgrade Attack for Confidential Clients. Specifically, an application is vulnerable when a Confidential Client uses PKCE for the Authorization Code Grant. An...

CVE-2024-22258

CVE-2024-22258 affects Spring Authorization Server versions 1.0.0–1.0.5, 1.1.0–1.1.5, and 1.2.0–1.2.2 (and older unsupported) where confidential clients using PKCE with the Authorization Code Grant can be downgraded, potentially bypassing security restrictions. Public Clients using PKCE are not v...

CVE-2024-22258 CVE-2024-22258: PKCE Downgrade in Spring Authorization Server

Spring Authorization Server versions 1.0.0 - 1.0.5, 1.1.0 - 1.1.5, 1.2.0 - 1.2.2 and older unsupported versions are susceptible to a PKCE Downgrade Attack for Confidential Clients. Specifically, an application is vulnerable when a Confidential Client uses PKCE for the Authorization Code Grant. An...

CVE-2024-22258 CVE-2024-22258: PKCE Downgrade in Spring Authorization Server

Spring Authorization Server versions 1.0.0 - 1.0.5, 1.1.0 - 1.1.5, 1.2.0 - 1.2.2 and older unsupported versions are susceptible to a PKCE Downgrade Attack for Confidential Clients. Specifically, an application is vulnerable when a Confidential Client uses PKCE for the Authorization Code Grant. An...

Security Bulletin: IBM InfoSphere Information Server is affected by a denial of service vulnerability in Spring Framework (CVE-2023-34053)

Summary A denial of service vulnerability in Spring Framework used by IBM InfoSphere Information Server was addressed. Vulnerability Details CVEID:CVE-2023-34053 DESCRIPTION: VMware Tanzu Spring Framework is vulnerable to a denial of service, caused by a flaw when the application uses Spring MVC ...

Spring Authorization Server Security Vulnerability

VMware Spring Authorization Server is a framework for building secure OAuth 2.0 and OpenID Connect 1.0 authorization servers from VMware. A security vulnerability exists in Spring Authorization Server that stems from the vulnerability of an application to a PKCE downgrade attack when the PKCE...

Spring Tips: the Exposed ORM for Kotlin

Hi, Spring fans! In this installment we look at the Exposed Object Relational Mapper framework for Kotlin. Kotlin Java JDBC springboot...

security/shibboleth-idp -- CAS service SSRF

Shibboleth Developers report: The Identity Provider's CAS support relies on a function in the Spring Framework to parse CAS service URLs and append the ticket parameter...

The vulnerability of the AuthenticatedVoter class in the Java framework for securing industrial applications with Spring Security allows a perpetrator to gain unauthorized access to protected information.

The vulnerability of the AuthenticatedVoter class in the Java framework for securing industrial applications under Spring Security is related to deficiencies in access control when processing the null parameter. Exploiting this vulnerability can allow an attacker to gain unauthorized access to...

Hello, Java 22!

update I've since published a Spring Tips video on this very topic! If you'd prefer, you could watch that instead. Hi, Spring fans! Happy Java 22 release day, to those who celebrate! Did you get the bits already? Go, go, go! Java 22 is a significant improvement that I think is a worthy upgrade fo...