6877 matches found
CVE-2023-20863
In spring framework versions prior to 5.2.24 release+ ,5.3.27+ and 6.0.8+ , it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service DoS condition...
CVE-2023-20866
In Spring Session version 3.0.0, the session id can be logged to the standard output stream. This vulnerability exposes sensitive information to those who have access to the application logs and can be used for session hijacking. Specifically, an application is vulnerable if it is using...
Spring Framework 安全漏洞
Spring Framework is the U.S. Spring team of a set of open source Java, JavaEE application framework. The framework helps developers build high-quality applications. A security vulnerability exists in Spring Framework that originates from a denial of service DoS by supplying a specially crafted Sp...
CVE-2023-20866
In Spring Session version 3.0.0, the session id can be logged to the standard output stream. This vulnerability exposes sensitive information to those who have access to the application logs and can be used for session hijacking. Specifically, an application is vulnerable if it is using...
CVE-2023-20863
CVE-2023-20863 is a Spring Framework DoS issue. The vulnerability occurs when a user supplies a specially crafted SpEL expression, leading to denial of service. Affected are Spring Framework versions before 5.2.24, before 5.3.27, and before 6.0.8. IBM and other advisories corroborate the DoS risk...
spring-security-oauth2-client: Privilege Escalation in spring-security-oauth2-client
A flaw was found in the Spring Security framework. Spring Security could allow a remote attacker to gain elevated privileges on the system. By modifying a request initiated by the Client via the browser to the Authorization Server, an attacker can gain elevated privileges on the system...
spring-security: Authorization rules can be bypassed via forward or include dispatcher types in Spring Security
A flaw was found in the spring-security framework. Spring Security could allow a remote attacker to bypass security restrictions caused by an issue when using forward or include dispatcher types. By sending a specially-crafted request, an attacker can bypass authorization rules...
This Week in Spring - April 11th, 2023
Hi, Spring fans! Welcome to another installment of This Week in Spring! As I write this I am in Amsterdam, Netherlands, preparing to speak at the Utrecht JUG tonight along with fellow Java Champion Trisha Gee. We're not speaking together, but instead it's a double header: she'll speak first, then...
Exploit for Code Injection in Vmware Spring_Cloud_Function
CVE-2022-22963 Exploit This repository contains a Rust-based e...
Exploit for Incorrect Authorization in Vmware Spring_Security
CVE-2022-22978 POC environment CVE-2022-22978 Spring-Security bypass Demo 在Spring Security中使用RegexRequestMatcher且规则中包含带点号的正则表达式时,攻击者可以通过构造恶意数据包绕过身份认证 影响范围 Spring Security 5.5.x http://localhost:8080/admin/index%0a Docker docker pull s0cke3t/cve-2022-22978:latest...
A Bootiful Podcast: José Paumard, Java Champion alumnus and Java legend, on Project Loom, Valhalla, and more, from Devnexus 2023!
Hi, Spring fans! Welcome to another installment of A Bootiful Podcast. In this installment I'll talk to legendary Oracle Java Champion alumnus, Java advocate, professor emeritus, and all around amiable fellow José Paumard, recorded at the amazing Devnexus 2023 event! José's English-language Youtu...
springframework: DoS via data binding to multipartFile or servlet part
A flaw was found in Spring Framework. Applications that handle file uploads are vulnerable to a denial of service DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object...
springframework: DoS with STOMP over WebSocket
A flaw was found in Spring Framework Applications. Applications that use STOMP over the WebSocket endpoint are vulnerable to a denial of service attack caused by an authenticated user...
The vulnerability of Hitachi Vantara Pentaho Business Analytics Server’s server lies in the improper elimination of certain elements in the output data, allowing attackers to execute arbitrary commands.
The vulnerability of Hitachi Vantara Pentaho Business Analytics Server relates to the incorrect elimination of certain elements in the output data. Exploiting this vulnerability allows a malicious actor to execute arbitrary commands by injecting specially crafted Spring templates...
This Week in Spring - April 4th, 2023
Hi, Spring fans! Welcome to another installment of This Week in Spring! How are you doin? Me, I'm exhausted! It's been quite the odyssey trying to get to Devnexus, but I made it, eventually! If you're at Devnexus, check out this roundup of interesting and awesome talks from the Spring team and...
The vulnerability of the Spring Framework software platform, related to unlimited resource distribution, allows attackers to cause service failures.
The vulnerability of the Spring Framework software platform is related to the unlimited distribution of resources. Exploiting this vulnerability can allow a malicious actor, operating remotely, to cause service failures using specially created SpEL expressions...
CVE-2022-43769
Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x allow certain web services to set property values which contain Spring templates that are interpreted downstream...
CVE-2022-43769
Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x allow certain web services to set property values which contain Spring templates that are interpreted downstream...
Design/Logic Flaw
Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x allow certain web services to set property values which contain Spring templates that are interpreted downstream...
CVE-2022-43769 Hitachi Vantara Pentaho Business Analytics Server - Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)
Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x allow certain web services to set property values which contain Spring templates that are interpreted downstream...