springframework: Authorization Bypass in RegexRequestMatcher

A flaw was found in Spring Security. When using RegexRequestMatcher, an easy misconfiguration can bypass some servlet containers. Applications using RegexRequestMatcher with . in the regular expression are possibly vulnerable to an authorization bypass...

Spring Authorization Server is on Spring Initializr!

Today, I'm excited to announce that you have a new superpower: creating applications with Spring Authorization Server on Spring Initializr! That's right, it's time to begin your OAuth2 journey and become the hero you always knew you could be! In this post, I'll explain how you can get the most fr...

CVE-2023-20883

A flaw was found in Spring Boot, occurring prominently in Spring MVC with a reverse proxy cache. This issue requires Spring MVC to have auto-configuration enabled and the application to use Spring Boot's welcome page support, either static or templated, resulting in the application being deployed...

This Week in Spring - May 23rd, 2023

Hi, Spring fans! Welcome to another installment of This Week in Spring! It's May 23rd and, famously, nothing major has happened in the last week OH WAIT WE RELEASED SPRING BOOT 3.1! Have you checked it out yet? It's dope. I did a Spring Tips installment looking at some of its features here that y...

Unleash Spring apps in a flex environment with Azure Spring Apps Consumption and Dedicated plans

In March, we introduced the Consumption pricing plan for Azure Spring Apps allowing you to start from zero and scale to zero vCPU. Today, we are thrilled to announce the public preview of the Standard Dedicated plan! The Standard Dedicated plan provides a fully managed, dedicated environment for...

VMware Spring Boot < 2.5.15, 2.6.x < 2.6.15, 2.7.x < 2.7.12, 3.0.x < 3.0.7 DoS Vulnerability

VMware Spring Boot is prone to a denial of service DoS vulnerability. SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE =...

K000134681: Spring Framework vulnerability CVE-2023-20861

Security Advisory Description In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service DoS condition. CVE-2023-20861 Impac...

Security Bulletin: IBM Sterling Connect:Direct for Microsoft Windows is affected by a security restrictions bypass due to Spring Framework [CVE-2023-20860]

Summary There is a vulnerability in Spring Framework used by Integrated File Agent in IBM Sterling Connect:Direct for Microsoft Windows. IBM Sterling Connect:Direct for Microsoft Windows has addressed the applicable CVE. CVE-2023-20860 Vulnerability Details CVEID:CVE-2023-20860 DESCRIPTION: VMwar...

PT-2023-17687 · Spring · Spring Boot

Name of the Vulnerable Software and Affected Versions: Spring Boot versions 2.5.0 through 2.5.14 Spring Boot versions 2.6.0 through 2.6.14 Spring Boot versions 2.7.0 through 2.7.11 Spring Boot versions 3.0.0 through 3.0.6 Spring Boot older unsupported versions Description: There is potential for ...

Security Bulletin: IBM Sterling Connect:Direct for UNIX is affected by security restriction bypass due to Spring Framework [CVE-2023-20860]

Summary IBM Sterling Connect:Direct for UNIX File Agent component is affected by security restriction bypass due to Spring Framework. Spring Framework has been upgraded in IBM Sterling Connect:Direct for UNIX File Agent component. CVE-2023-20860 Vulnerability Details CVEID:CVE-2023-20860...

A Bootiful Podcast: Grubhub's Josh Burns on Kotlin, Spring Boot, and more

We're crossing the streams, again! This time Josh Long talks to Grubhub's John Burns twitter: @wakingrufus mastodon: @[email protected] about dogfooding human food, Grubhub's tech stack, and more...

Security Bulletin: IBM InfoSphere Information Server is affected but not classified as vulnerable to multiple vulnerabilities in Spring Security

Summary Multiple vulnerabilities in Spring Security used by InfoSphere Information Server were addressed. Vulnerability Details CVEID:CVE-2022-22976 DESCRIPTION: Spring Security could provide weaker than expected security, caused by an integer overflow vulnerability which results in a lack of sal...

springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern

A flaw was found in Spring Framework. In this vulnerability, a security bypass is possible due to the behavior of the wildcard pattern...

springframework: Spring Expression DoS Vulnerability

A flaw found was found in Spring Framework. This flaw allows a malicious user to use a specially crafted SpEL expression that causes a denial of service DoS...

springframework: DoS via data binding to multipartFile or servlet part

A flaw was found in Spring Framework. Applications that handle file uploads are vulnerable to a denial of service DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object...

springframework: DoS with STOMP over WebSocket

A flaw was found in Spring Framework Applications. Applications that use STOMP over the WebSocket endpoint are vulnerable to a denial of service attack caused by an authenticated user...

This Week in Spring - May 16th 2023

My friends, Spring Boot 3.1 is nearly upon us! It drops on 18 May, in just a few short days! There are a ton of amazing features in this new release and I hope you're already trying it out you know where. Here are some of my favorite features: Built in Docker Compose support - Have a...

Security Bulletin: Vulnerability in Spring Framework affects IBM Tivoli Application Dependency Discovery Manager (CVE-2023-20863).

Summary Vulnerability in Spring Framework affects IBM Tivoli Application Dependency Discovery Manager CVE-2023-20863. IBM has addressed the vulnerabilities. Vulnerability Details CVEID:CVE-2023-20863 DESCRIPTION: VMware Tanzu Spring Framework is vulnerable to a denial of service, caused by improp...

PT-2023-35827 · Spring +1 · Org.Springframework.Expression +1

Name of the Vulnerable Software and Affected Versions: No specific software or version information is provided in the input descriptions. Description: The issue is related to a security exception, with details provided in an OSS-Fuzz report. The crash state involves several Java functions,...

Path Traversal

spring-boot-actuator-logview is vulnerable to Path Traversal. The vulnerability exists in the securityCheck function of LogViewEndpoint.java because it does not properly validate relative paths, allowing an attacker to access files outside the expected directory through the path such as /usr/outn...