K000134945: Spring Boot vulnerability CVE-2022-46166

Security Advisory Description Spring boot admins is an open source administrative user interface for management of spring boot applications. All users who run Spring Boot Admin Server, having enabled Notifiers e.g. Teams-Notifier and write access to environment variables via UI are affected. User...

Security Bulletin: IBM Operational Decision Manager May 2023 - Multiple CVEs

Summary This Security Bulletin addresses the security vulnerabilities that have been fixed within the IBM Operational Decision Manager. This product now includes fixes for the following security vulnerabilities. Vulnerability Details CVEID:CVE-2023-20862 DESCRIPTION: VMware Tanzu Spring Security...

Securing Spring Boot Applications With SSL

Secure Sockets Layer SSL and Transport Layer Security TLS are key components of securing communications between systems in a layered or service-oriented architecture. Spring Boot applications in such an architecture often accept incoming network connections or create outgoing connections, and...

Security Bulletin: [All] Spring Framework (Publicly disclosed vulnerability)

Summary In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter. This effects ITN...

Security Bulletin: [All] Spring Framework - CVE-2021-22096 (Publicly disclosed vulnerability)

Summary In Spring Framework versions 5.3.0 - 5.3.10, 5.2.0 - 5.2.17, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries. This effects ITNCM version 6.4.2. Vulnerability Details CVEID:CVE-2021-22096 DESCRIPTION:...

Security Bulletin: [All] Spring Framework - CVE-2022-22950 (Publicly disclosed vulnerability)

Summary In Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition. This effects ITNCM version 6.4.2. Vulnerability Details CVEID:CVE-2022-22950 DESCRIPTION: VMwa...

dk.mada.jaxrs:openapi-jaxrs-client (>=0.9.12 <=0.9.17), io.jooby:jooby-jstachio (>=3.0.0.M7 <=3.0.0.M9) +6 more potentially affected by CVE-2023-33962 via io.jstach:jstachio (>=0.10.0 <=1.0.0)

io.jstach:jstachio MAVEN version =0.10.0, =0.9.12, =3.0.0.M7, =0.6.0, =0.8.0, =0.8.0, =0.10.0, =0.10.0, =0.10.0, =1.0.0 Source cves: CVE-2023-33962 Source advisory: OSV:GHSA-GWXV-JV83-6QJR...

This Week in Spring - June 6th, 2023

Hi, Spring fans! Welcome to another installment of This Week in Spring! And what an insane week it's been! Long story short, I've spent 10-12 hours a day over the last five days migrating a dozen differnet applications and services from one GKE cluster to another, taking the time to update things...

Security Bulletin: Multiple vulnerabilities in VMware Tanzu Spring Framework affect IBM Process Designer 8.5.7 shipped with IBM Business Automation Workflow

Summary Multiple vulnerabilities exist in VMware Tanzu Spring Framework, which is used by the desktop version of IBM Process Designer 8.5.7 shipped with IBM Business Automation Workflow. IBM Process Designer has addressed the applicable CVEs. Vulnerability Details CVEID:CVE-2023-20861 DESCRIPTION...

Security Bulletin: Vulnerability in spring-expressions may affect IBM Business Automation Workflow - CVE-2023-20863

Summary IBM Business Automation Workflow packages a vulnerable copy of spring-expressions in BPM/Lombardi/lib. Vulnerability Details CVEID:CVE-2023-20863 DESCRIPTION: VMware Tanzu Spring Framework is vulnerable to a denial of service, caused by improper input validation. By sending a specially...

Exploit for Code Injection in Vmware Spring_Framework

CVE-2022-22965 Poc&Exp: Supports batch scanning Us...

A Bootiful Podcast: Spring Boot team member Moritz Halbritter (@m_halbritter)

Hi, Spring fans! In this installment Josh Long YouTube.com/@coffeesoftware.com talks to Spring Boot team member Moritz Halbritter @mhalbritter...

Security Bulletin: VMware Tanzu Spring Security is vulnerable to CVE-2022-31692 used in IBM Maximo Application Suite

Summary IBM Maximo Application Suite VMware Tanzu Spring Security is vulnerable to CVE-2022-31692 Vulnerability Details CVEID:CVE-2022-31692 DESCRIPTION: VMware Tanzu Spring Security could allow a remote attacker to bypass security restrictions, caused by a flaw when using forward or include...

Security Bulletin: Multiple Vulnerabilities in CloudPak for Watson AIOPs

Summary Multiple vulnerabilities were fixed in IBM Cloud Pak for Watson AIOps version 3.7.2 Vulnerability Details CVEID:CVE-2023-20860 DESCRIPTION: VMware Tanzu Spring Framework could allow a remote attacker to bypass security restrictions, caused by the use of an un-prefixed double wildcard...

Denial Of Service (DoS)

spring-boot-autoconfigure is vulnerable to Denial Of Service DoS. The vulnerability is applicable when the application has Spring MVC auto-configuration enabled and uses the Spring Boot welcome page, which can be either static or templated, and the application is deployed behind a proxy which...

This Week in Spring - May 30th, 2023

Hi, Spring fans! Welcome to another installment of This Week in Spring! This installment I write on the day of my daughter's High School graduation, an auspicious day indeed! There's a lot to get through this week, though, and I have a graduation to get to, so let's dive right in! Spring...

Vulnerabilities fixed in Zimbra Collaboration Suite

Zimbra has fixed vulnerabilities in the Zimbra Collaboration Suite ZCS. A malicious party can exploit the vulnerabilities to perform attacks that could result in the following categories of damage: Cross-Site Scripting XSS Denial-of-Service DoS. Bypassing authentication Bypassing security measure...

Security Bulletin: Vulnerability in Spring Framework affects IBM Process Mining [CVE-2023-20860]

Summary There is a vulnerability in Spring Framework that could allow a remote authenticated attacker to bypass security restrictions. The code is used by IBM Process Mining. This bulletin identifies the security fixes to apply to address the vulnerability. CVE-2023-20860 Vulnerability Details...

IceCMS Cross-Site Scripting Vulnerability

IceCMS is a content management system based on Spring Boot + Vue front-end and back-end separation . IceCMS v1.0.0 version exists cross-site scripting vulnerability, the vulnerability stems from the application of the user-supplied data lack of effective filtering and escaping, an attacker can...

IceCMS Access Control Error Vulnerability

IceCMS is a content management system based on Spring Boot + Vue front-end and back-end separation . An access control error vulnerability exists in IceCMS v1.0.0, which stems from improper access control in the system and can be exploited by an attacker to cause sensitive information leakage...