spring-security: Empty SecurityContext Is Not Properly Saved Upon Logout

A flaw was found in Spring Security. In affected versions of Spring Security, the logout support does not properly clean the security context if using serialized versions. Additionally, it is not possible to explicitly save an empty security context to the HttpSessionSecurityContextRepository. Th...

springframework: Spring Expression DoS Vulnerability

A flaw found was found in Spring Framework. This flaw allows a malicious user to use a specially crafted SpEL expression that causes a denial of service DoS...

Spring Tips: Spring Boot Testjars

Hi, Spring fans! In this installment we look at the brand new Spring Boot Testjars project, which greatly simplifies standing up and reusing satellite Java-based services like other Spring Boot-based microservices or infrastructure like the Spring Authorization Server. springboot java java21...

Spring Tips: Spring AI

Hi, Spring fans! In this installment we'll look at the new Spring AI project, which provides convenient integrations with LLMs like the one behind ChatGPT and tools to support the RAG retrieval augmented generation pipeline. ai springboot artificialintelligence java graalvm cloud java21 postgresq...

Security Bulletin: IBM Sterling Control Center vulnerable to denial of service due to Spring Boot and remote code execution due to Spring Framework

Summary IBM Sterling Control Center containerized image uses VMWare Tanzu Spring Boot and Pivotal Spring Framework. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details CVEID:CVE-2023-20883 DESCRIPTION: VMware Tanzu Spring Boot is vulnerable to a denial...

Incorrect File Permission

org.springframework.security: spring-security-config is vulnerable to Incorrect File Permissions. The vulnerability is due to insecure permissions assigned to the spring-security.xsd file inside the spring-security-config jar which is world writable. An attacker with access to the filesystem can...

This Week in Spring - February 6th

Hi, Spring fans! Welcome to another installment of the rip-roarin' adventure that is This Week in Spring! We've got a lot to look at, as usual, so let's dive right into it! in last week's installment of A Bootiful Podcast, I talked to Gunnar Morling, who created the 1BRC 1 Billion Row Challenge...

CVE-2023-34042

A flaw was found in the Spring-security-config jar file. The spring-security.xsd file inside the spring-security-config jar is world-writable, which means that if it were extracted, it could be written by anyone with access to the file system. Mitigation Mitigation for this issue is either not...

Spring Security's spring-security.xsd file is world writable

The spring-security.xsd file inside the spring-security-config jar is world writable which means that if it were extracted it could be written by anyone with access to the file system. While there are no known exploits, this is an example of “CWE-732: Incorrect Permission Assignment for Critical...

cn.herodotus.engine:oauth2-sdk-authentication (>=3.1.1.0 <=3.1.4.3), cn.herodotus.engine:oauth2-sdk-authorization (>=3.1.1.0 <=3.1.4.3) +321 more potentially affected by CVE-2023-34042 via org.springframework.security:spring-security-config (>=6.1.1 <=6.1.3)

org.springframework.security:spring-security-config MAVEN version =6.1.1, =3.1.1.0, =3.1.1.0, =3.1.1.0, =3.1.1.0, =5.5.0, =5.5.0, =0.0.9, =0.0.12, =0.0.30, =0.0.42, =6.1.16, =6.1.16, =7.0.0, =7.1.8 and more Source cves: CVE-2023-34042 Source advisory: OSV:GHSA-9GP8-6CG8-7H34...

GHSA-9GP8-6CG8-7H34 Spring Security's spring-security.xsd file is world writable

The spring-security.xsd file inside the spring-security-config jar is world writable which means that if it were extracted it could be written by anyone with access to the file system. While there are no known exploits, this is an example of “CWE-732: Incorrect Permission Assignment for Critical...

com.epam.reportportal:service-authorization (>=5.11.0 <=5.11.1), com.erudika:para-jar (=1.49.0) +51 more potentially affected by CVE-2023-34042 via org.springframework.security:spring-security-config (>=5.8.4 <=5.8.6)

org.springframework.security:spring-security-config MAVEN version =5.8.4, =5.11.0, =1.73.40, =1.73.40, =1.73.40, =1.73.40, =2.35.0, =2.14.0, =2.14.0, =11.3.6, =11.3.6, =11.3.6, =11.3.6, =11.4.2 and more Source cves: CVE-2023-34042 Source advisory: OSV:GHSA-9GP8-6CG8-7H34...

com.almis.awe:awe-annotation (>=4.7.1 <=4.7.7), com.almis.awe:awe-annotations-spring-boot-starter (>=4.7.1 <=4.7.7) +28 more potentially affected by CVE-2023-34042 via org.springframework.security:spring-security-config (>=6.0.4 <=6.0.6)

org.springframework.security:spring-security-config MAVEN version =6.0.4, =4.7.1, =4.7.1, =4.7.1, =4.7.1, =4.7.1, =4.7.1, =4.7.1, =4.7.1, =4.7.1, =4.7.1, =4.7.1, =4.7.1, =4.7.1, =4.7.1, =4.7.7 - com.giffing.wicket.spring.boot.starter:wicket-spring-boot-starter =4.0.0-M1 and more Source cves:...

CVE-2023-34042

The spring-security.xsd file inside the spring-security-config jar is world writable which means that if it were extracted it could be written by anyone with access to the file system. While there are no known exploits, this is an example of “CWE-732: Incorrect Permission Assignment for Critical...

CVE-2023-34042

The spring-security.xsd file inside the spring-security-config jar is world writable which means that if it were extracted it could be written by anyone with access to the file system. While there are no known exploits, this is an example of “CWE-732: Incorrect Permission Assignment for Critical...

Design/Logic Flaw

The spring-security.xsd file inside the spring-security-config jar is world writable which means that if it were extracted it could be written by anyone with access to the file system. While there are no known exploits, this is an example of “CWE-732: Incorrect Permission Assignment for Critical...

CVE-2023-34042

The spring-security.xsd file inside the spring-security-config jar is world writable which means that if it were extracted it could be written by anyone with access to the file system. While there are no known exploits, this is an example of “CWE-732: Incorrect Permission Assignment for Critical...

CVE-2023-34042

The spring-security.xsd file inside the spring-security-config jar is world writable which means that if it were extracted it could be written by anyone with access to the file system. While there are no known exploits, this is an example of “CWE-732: Incorrect Permission Assignment for Critical...

CVE-2023-34042

The CVE-2023-34042 issue concerns the Spring Security spring-security-config jar where the spring-security.xsd file is world-writable. This enables a local authenticated attacker to write the file, reflecting CWE-732: Incorrect Permission Assignment for Critical Resource. The connected IBM and OS...

Security Bulletin: IBM Observability with Instana is affected by Multiple Security Vulnerabilities

Summary Multiple vulnerabilities were remediated in IBM Observability with Instana build 265. Vulnerability Details CVEID:CVE-2023-20861 DESCRIPTION: VMware Tanzu Spring Framework is vulnerable to a denial of service. By sending a specially crafted SpEL expression, a remote attacker could exploit...