Spring Tips: the Spring Authorization Server: securing SPAs and messaging flows

hi, Spring fans! In this installment, we continue our look at the venerable Spring Authorization Server, this time looking at how to extend its use beyond just HTTP APIs, to secure single page applications and messaging flows with OAuth...

This Week in Spring - February 27th, 2024

Hi, Spring fans! Welcome to another installment of This Week in Spring wherein we explore the latest-and-greatest in the wonderful world of Springdom. This week's going to be a very good one, so let's dive right into it! good news everyone! Spring Boot's been updated! 3.3.0-M2, 3.2.3, and 3.1.9 a...

The vulnerability of the AuthenticationTrustResolver.isFullyAuthenticated(Authentication) method in the Java framework for securing industrial applications by Spring Security allows attackers to influence the integrity and confidentiality of protected information.

The vulnerability of the AuthenticationTrustResolver.isFullyAuthenticatedAuthentication method in the Java framework for securing industrial applications by Spring Security is related to deficiencies in access control when processing the null parameter. Exploiting this vulnerability could allow a...

Server Side Request Forgery (SSRF)

org.springframework:spring-web is vulnerable to Open Redirect. The vulnerability is due to insufficient validation checks of the host URL within UriComponentsBuilder.java. If an application utilizes the host validation checks, an attacker can perform an open redirect or Server-Side Request Forger...

com.github.linyuzai:concept-plugin-spring-boot-starter (>=2.0.0 <=3.0.0), org.webjars.npm:github-com-showdownjs-ng-showdown (=1.1.0) +3 more potentially affected by CVE-2024-1899 via org.webjars.npm:showdown (>=1.9.1 <=2.1.0)

org.webjars.npm:showdown MAVEN version =1.9.1, =2.0.0, =1.0.2, =1.0.3 - org.webjars.npm:showdown-prism =0.2.0 Source cves: CVE-2024-1899 Source advisory: SNYK:JAVA-ORGWEBJARSNPM-8685132...

CVE-2024-22243

A vulnerability was discovered in Spring Framework. Under certain conditions, an attacker might be able to trigger an open redirect. This issue can simplify the process of conducting a phishing attack against users of the deployment. Mitigation Mitigation for this issue is either not available or...

africa.absa:inception-api (>=1.1.0 <=1.2.0), africa.absa:inception-application (>=1.1.0 <=1.2.0) +15074 more potentially affected by CVE-2024-22243 via org.springframework:spring-web (>=5.3.0 <=5.3.31)

org.springframework:spring-web MAVEN version =5.3.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =4.4.0.2, =4.6.0.0 - ai.apiverse:apipulse =1.0.1 and more Source cves: CVE-2024-22243 Source advisory: OSV:GHSA-CCGV-VJ62-XF9H...

ai.optfor:spring-openai-api (>=0.1 <=0.3.25), am.ik.s3:simple-s3-client (>=0.1.0 <=0.1.1) +3784 more potentially affected by CVE-2024-22243 via org.springframework:spring-web (>=6.0.0 <=6.0.16)

org.springframework:spring-web MAVEN version =6.0.0, =0.1, =0.1.0, =0.2.3, =0.2.3, =4.0.0, =1.5.0.RELEASE, =1.5.1.RELEASE, =1.5.0.RELEASE, =2.1.0.RELEASE, =1.5.0.RELEASE, =1.5.2.RELEASE - be.tomcools:rickroll-security-spring-boot-starter =3.1.1 -...

ai.ancf.lmos-router:lmos-router-llm-in-spring-cloud-gateway-demo (=0.28.0), ai.ancf.lmos:arc-graphql-spring-boot-starter (>=0.1.1 <=0.112.0) +7821 more potentially affected by CVE-2024-22243 via org.springframework:spring-web (>=6.1.0 <=6.1.3)

org.springframework:spring-web MAVEN version =6.1.0, =0.1.1, =0.1.1, =0.0.4, =0.1.0, =0.1.0, =0.5.0, =0.6.0, =0.6.0, =0.5.0, =0.6.0, =0.6.0, =0.5.0, =0.7.0, =0.7.0, =0.8.7 and more Source cves: CVE-2024-22243 Source advisory: OSV:GHSA-CCGV-VJ62-XF9H...

ColumnPack:ColumnPack-plugin (=1.0.3), CustomHistory:CustomHistory (>=1.1 <=1.3) +22631 more potentially affected by CVE-2024-22243 via org.springframework:spring-web (>=1.2.1 <=5.2.25.RELEASE)

org.springframework:spring-web MAVEN version =1.2.1, =1.1, =0.0.1, =4.4.0.0, =0.1.6, =0.1.8, =0.1.6, =0.1.2, =0.5.0, =0.5.0, =0.5.0, =0.5.0, =0.5.0, =0.5.0, =0.5.21 and more Source cves: CVE-2024-22243 Source advisory: OSV:GHSA-CCGV-VJ62-XF9H...

Spring Web vulnerable to Open Redirect or Server Side Request Forgery

Applications that use UriComponentsBuilder to parse an externally provided URL e.g. through a query parameter AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect attack or to a SSRF attack if the URL is used after passing validation checks...

CVE-2024-22243 CVE-2024-22243: Spring Framework URL Parsing with Host Validation

Applications that use UriComponentsBuilder to parse an externally provided URL e.g. through a query parameter AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is...

CVE-2024-22243 CVE-2024-22243: Spring Framework URL Parsing with Host Validation

Applications that use UriComponentsBuilder to parse an externally provided URL e.g. through a query parameter AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is...

A Bootiful Podcast: Timefold Solver AI lead Geoffrey De Smet

Hi, Spring fans! In this installment, I talk to Timefold Solver AI lead Geoffrey De Smet about the amazing new integrations for Spring Boot developers...

Spring Framework Security Vulnerabilities

Spring Framework is the U.S. Spring team of a set of open source Java, JavaEE application framework. The framework helps developers build high-quality applications. A security vulnerability exists in Spring Framework that stems from the vulnerability to open redirection or server request forgery...

VMware Spring Framework < 5.3.32, 6.0.x < 6.0.17, 6.1.x < 6.1.4 Open Redirect / SSRF Vulnerability - Linux

The VMware Spring Framework is prone to an open redirect or server-side request forgery SSRF vulnerability. SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier:...

VMware Spring Framework < 5.3.32, 6.0.x < 6.0.17, 6.1.x < 6.1.4 Open Redirect / SSRF Vulnerability - Windows

The VMware Spring Framework is prone to an open redirect or server-side request forgery SSRF vulnerability. SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier:...

Exploit for CVE-2024-22243

CVE-2024-22243 Author: Sean Pesce This project conta...

Access Control Error Vulnerability in Spring Security

Spring Security is a Spring-based enterprise applications can provide a declarative security access control solution for the security framework . It provides a set of beans that can be configured in the Spring application context , taking full advantage of the Spring IoC, DI Control Inversion...

PT-2024-1921 · Unknown +2 · Spring Framework +3

Name of the Vulnerable Software and Affected Versions: Spring Framework versions prior to the fixed version Description: The issue arises from insufficient validation of user-input data in the Spring Framework, potentially allowing an attacker to perform a Server-Side Request Forgery SSRF attack ...