springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern

A flaw was found in Spring Framework. In this vulnerability, a security bypass is possible due to the behavior of the wildcard pattern...

spring-security: Authorization rules can be bypassed via forward or include dispatcher types in Spring Security

A flaw was found in the spring-security framework. Spring Security could allow a remote attacker to bypass security restrictions caused by an issue when using forward or include dispatcher types. By sending a specially-crafted request, an attacker can bypass authorization rules...

A Bootiful Podcast: Elastic's Philipp Krenn

Hi Spring fans! Welcome to another installment of a Bootiful Podcast! In this installment, Josh Long talks to Elastic's Philipp Krenn, live from Spring IO 2023 in beautiful Barcelona, Spain!...

Security Bulletin: IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in VMware Tanzu Spring Boot

Summary IBM Watson Discovery Cartridge for IBM Cloud Pak for Data contains a vulnerable version of VMware Tanzu Spring Boot. Vulnerability Details CVEID:CVE-2023-20873 DESCRIPTION: VMware Tanzu Spring Boot could allow a remote attacker to bypass security restrictions, caused by a flaw with wildca...

Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a denial of service in VMware Tanzu Spring Framework (CVE-2023-20861)

Summary IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a denial of service in VMware Tanzu Spring Framework, by sending a specially crafted SpEL expression CVE-2023-20861. VMware Tanzu Spring Framework is included as part of our speech microservices. This...

Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a security bypass in VMware Tanzu Spring Framework [CVE-2023-20860]

Summary IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a security bypass in VMware Tanzu Spring Framework due to the use of an un-prefixed double wildcard pattern with the mvcRequestMatcher CVE-2023-20860. Spring Framework is included as part of our speech...

OSV-2023-517 Security exception in org.springframework.expression.spel.ast.OpPlus.getValueInternal

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60112 Crash type: Security exception Crash state: org.springframework.expression.spel.ast.OpPlus.getValueInternal java.base/sun.reflect.generics.reflectiveObjects.TypeVariableImpl.hashCode java.base/java.util.Arrays.hashCode...

Security Bulletin: Vulnerability in Spring Framework affects IBM Process Mining . CVE-2023-20873

Summary There is a vulnerability in Spring Boot that could allow a remote attacker to bypass security restrictions on the system. The code is used by IBM Process Mining. This bulletin identifies the security fixes to apply to address the vulnerability. Vulnerability Details CVEID:CVE-2023-20873...

Security Bulletin: Vulnerability in Spring Security affects IBM Process Mining . CVE-2023-20862

Summary There is a vulnerability in Spring Security that could allow a remote attacker to bypass security restrictions and remain authenticated after logout is performed. The code is used by IBM Process Mining. This bulletin identifies the security fixes to apply to address the vulnerability...

Security Bulletin: Vulnerability in Spring Framework affects IBM Process Mining . CVE-2023-20863

Summary There is a vulnerability in Spring Framework that could allow a remote authenticated attacker to execute a denial of service on the system. The code is used by IBM Process Mining. This bulletin identifies the security fixes to apply to address the vulnerability. Vulnerability Details...

Security Bulletin: Vulnerability in Spring Security affects IBM Process Mining . CVE-2022-22978

Summary There is a vulnerability in Spring Security that could allow an remote attacker to bypass security restrictions and obtain access to the system. The code is used by IBM Process Mining. This bulletin identifies the security fixes to apply to address the vulnerability. Vulnerability Details...

Security Bulletin: Vulnerability in Spring Security affects IBM Process Mining . CVE-2021-22119

Summary There is a vulnerability in Spring Security that could allow a remote attacker to execute a denial of service on the system. The code is used by IBM Process Mining. This bulletin identifies the security fixes to apply to address the vulnerability. Vulnerability Details CVEID:CVE-2021-2211...

Security Bulletin: Vulnerability in Spring Security affects IBM Process Mining . Multiple CVEs

Summary There is a vulnerability in Spring Security that could allow a local authenticated attacker launch further attacks on the system. The code is used by IBM Process Mining. This bulletin identifies the security fixes to apply to address the vulnerability. Vulnerability Details...

Security Bulletin: Vulnerability in Spring Boot affects IBM Process Mining . CVE-2023-20883

Summary There is a vulnerability in Spring Boot that could allow a remote attacker to execute a denial of service on the system. The code is used by IBM Process Mining. This bulletin identifies the security fixes to apply to address the vulnerability. Vulnerability Details CVEID:CVE-2023-20883...

This Week in Spring - June 27th, 2023

Hi Spring fans! Welcome to another installment of This Week in Spring! This week I am in Seoul talking to developers about the latest-and-greatest in Spring Boot 3! There's so much great stuff coming, and so much great stuff already. There are a few things I'm super excited about. First, yesterda...

Using Spring for GraphQL with Spring Data Neo4j

Introduction This is a guest blog post by Gerrit Meier from Neo4j who maintains the Spring Data Neo4j module. A few weeks ago version 1.2.0 of Spring for GraphQL was released with a bunch of new features. This also includes even better integration with Spring Data modules. Motivated by those...

Update Spring-Security used on Bitbucket to fix CVE-2023-20862

h3. Problem All Bitbucket versions, excluding 8.11.x, use Spring Security 5.7.7 or older, leading to Security scans listing Bitbucket as vulnerable to CVE-2023-20862|https://spring.io/security/cve-2023-20862. h3. Environment Any Bitbucket older than version 8.11.0 h3. Steps to Reproduce Check wha...

springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern

A flaw was found in Spring Framework. In this vulnerability, a security bypass is possible due to the behavior of the wildcard pattern...

Improved Testcontainers Support in Spring Boot 3.1

There's been support for Testcontainers in Spring Boot for some time now, and Spring Boot 3.1 improves it further. But first, let's take a look at what Testcontainers is and how it's usually used. Testcontainers is an open source framework for providing throwaway, lightweight instances of...

Security Bulletin: IBM Security Directory Integrator is affected by multiple security vulnerabilities

Summary IBM Security Directory Integrator has addressed several security issues in open source packages. Please apply the fix as detailed below. Vulnerability Details CVEID:CVE-2018-1270 DESCRIPTION: Pivotal Spring Framework could allow a remote attacker to execute arbitrary code on the system,...