SUSE CVE-2022-22965

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution RCE via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is...

SUSE CVE-2022-22963

In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources...

SUSE CVE-2022-22968

In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the fiel...

This Week in Spring - February 14th, 2023

Hi, Spring fans! It's early Tuesday morning for me. I'm preparing to head to Chicago, Illinois to meet some customers and have myself a grand ol' time in the windy city. I hope you're doing well, I certainly am. A Bootiful Podcast: opensource, Spring Cloud, and Kubernetes maestro Abel Salgado...

com.bstek.ureport:ureport2-console (>=2.0.0 <=2.2.9), com.bstek.ureport:ureport2-font (>=2.0.0 <=2.0.1) +13 more potentially affected by CVE-2023-24187 via com.bstek.ureport:ureport2-core (>=2.0.0 <=2.2.9)

com.bstek.ureport:ureport2-core MAVEN version =2.0.0, =2.0.0, =2.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.5.1, =1.5.1, =0.0.1, =1.1.0, =3.0.4-RELEASE, =2.0, =2.8.0, =4.2.0, =4.10.0 Source cves: CVE-2023-24187 Source advisory: OSV:GHSA-FHJ6-GR87-G4CJ...

ureport v2.2.9 代码问题漏洞

UReport is a high-performance pure Java reporting engine based on the Spring architecture that prepares complex Chinese reports and statements by iterating over cell. A security vulnerability exists in ureport version v2.2.9. An attacker exploits the vulnerability to execute arbitrary code by...

Security Bulletin: IBM Sterling B2B Integrator is vulnerable to denial of service due to Spring Framework (CVE-2022-22970)

Summary IBM Sterling B2B Integrator has addressed the denial of service security vulnerability in Spring Framework shipped with the product. Vulnerability Details CVEID:CVE-2022-22970 DESCRIPTION: Vmware Tanzu Spring Framework is vulnerable to a denial of service, caused by a flaw in the handling...

A Bootiful Podcast: opensource, Spring Cloud, and Kubernetes maestro Abel Salgado Romero

Hi, Spring fans! In this installment, Josh Long @starbuxman talks to Abel Salgado Romero @abelsromero about open source, Kubernetes, and building Kubernetes controllers with Spring Boot and GraalVM native images...

Exploit for Uncontrolled Resource Consumption in Siemens 6Bk1602-0Aa12-0Tp0_Firmware

Log4Shell CVE-2021-44228: Brief Description Apache L...

TIBCO JasperReports Server 6.x < 6.2.5 / 6.3.0 / 6.3.2 / 6.3.3 / 6.4.0 / 6.4.2 Information Disclosure (CVE-2018-5430)

According to its self-reported version, the instance of TIBCO JasperReports Server running on the remote web server is 6.x 6.2.5, 6.3.0, 6.3.2, 6.3.3, 6.4.0, or 6.4.2. It is, therefore, affected by an information disclosure vulnerability in the Spring web flows component that can allow any...

Exploit for Expression Language Injection in Vmware Spring_Cloud_Gateway

Introduction Through CVE-2022-22947, an attack is attempte...

This Week in Spring - February 7th, 2023

Hi, Spring fans! Welcome to another installment of This Week in Spring! It's Tuesday, February 7th, 2023, as I write this and I'm so very glad to be talking to you. How're you doin'? Some housekeeping: I'll be doing more live streams over on my YT channel - join me and we'll talk shop. I'm going...

Spring Security 5.6.x < 5.6.9 / 5.7.x < 5.7.5 Authorization Bypass

The remote host contains a Spring Security version that is 5.7.x prior to 5.7.5 or 5.6.x prior to 5.6.9. It may, therefore, be affected by an authorization bypass vulnerability. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version...

Moderate: Red Hat Security Advisory: Red Hat support for Spring Boot 2.7.2.SP1 security update

An update is now available for Red Hat OpenShift Application Runtimes. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from th...

Security Bulletin: Vulnerabilities have been identified in Spring Framework, OpenSSL and Apache HTTP Server shipped with the DS8000 Hardware Management Console (HMC)

Summary The updates indicated below have been released to address the following vulnerabilities: Spring Framework CVE-2022-22965, OpenSSL vulnerabilities CVE-2022-0778, Apache HTTP Server CVE-2021-26691, CVE-2021-40438, CVE-2021-44790, and CVE-2021-20325. Vulnerability Details CVEID:CVE-2022-0778...

Jira Server/DC impacted by CVE-2022-22970 & CVE-2022-22971 via vulnerable version of Spring framework

Jira is not impacted no action is required as the vulnerability +cannot be exploited+. All Jira versions below 9.6 uses an affected version of Spring Framework, reason why the JRASERVER-74776 was published, however Jira +does not use the affected methods from the Spring+, hence +is not impacted+:...

The 2022 State of Spring Survey Report

Hi, Spring fans! You're awesome! I know you're awesome. You know you're awesome. And the Spring team works for you. We like working for you because you dream awesome dreams and build awesome things. And we can't work effectively with and for you if we don't know where everyone stands. Every year ...

An ever green, ever great way to learn Spring

I could do this post every week. Wait, I do do this post every week! It's called This Week in Spring, and in it I recap a lot of interesting new bits of content on the internet that elaborate or introduce or innovate. I love those points of data. They help. But they're almost never a full-guided...

Security Bulletin: Vulnerability in Spring Framework affects IBM Process Mining and could allow a local attacker to execute arbitrary code on the system (CVE-2022-22965)

Summary There is a vulnerability in Spring Framework that could allow a local attacker to execute arbitrary code on the system. The code is used by IBM Process Mining. This bulletin identifies the security fixes to apply to address the vulnerability. The product is in an affected but not vulnerab...

com.github.linyuzai:concept-router-spring-boot-starter (=1.1.0), org.webjars.npm:cacheable-request (=2.1.4) +5 more potentially affected by CVE-2022-25881 via org.webjars.npm:http-cache-semantics (=3.8.1)

org.webjars.npm:http-cache-semantics MAVEN version =3.8.1 is affected by a known vulnerability. The following packages have a transitive dependency on org.webjars.npm:http-cache-semantics and may be impacted: - com.github.linyuzai:concept-router-spring-boot-starter =1.1.0 -...