CVE-2023-22602

The CVE-2023-22602 issue affects Apache Shiro before 1.11.0 when used with Spring Boot 2.6+ and can allow an authentication bypass via a specially crafted HTTP request. The bypass arises because Shiro and Spring Boot may use different Ant-style pattern matching, causing access controls to be impr...

CVE-2023-22602 Apache Shiro before 1.11.0, when used with Spring Boot 2.6+, may allow authentication bypass through a specially crafted HTTP request

When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass. The authentication bypass occurs when Shiro and Spring Boot are using different pattern-matching techniques. Both Shiro and Spring Boot 2.6 default to Ant sty...

CVE-2023-22602

When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass. The authentication bypass occurs when Shiro and Spring Boot are using different pattern-matching techniques. Both Shiro and Spring Boot 2.6 default to Ant sty...

CVE-2023-22602 Apache Shiro before 1.11.0, when used with Spring Boot 2.6+, may allow authentication bypass through a specially crafted HTTP request

When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass. The authentication bypass occurs when Shiro and Spring Boot are using different pattern-matching techniques. Both Shiro and Spring Boot 2.6 default to Ant sty...

Apache Shiro 安全漏洞

Apache Shiro is a suite of Java security frameworks for performing authentication, authorization, encryption, and session management from the Apache Foundation USA. A security vulnerability exists in Apache Shiro versions prior to 1.11.0, which stems from a specially crafted HTTP request that cou...

favorites-web 跨站脚本漏洞

Favorites-web Cloud Favorites is an open source website built with Spring Boot by the individual developer Pure Smile ityouknow. A cross-site scripting vulnerability exists in favorites-web, which stems from some unknown functionality in its Comment Handler component that allows an attacker to...

PT-2023-8779 · Apache +2 · Apache Shiro +2

Name of the Vulnerable Software and Affected Versions: Apache Shiro versions prior to 1.11.0 Spring Boot versions 2.6+ Description: The issue is related to a conflict of interpretations between Apache Shiro and Spring Boot, which can be exploited by a remote attacker using a specially crafted HTT...

Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a denial of service, caused by improper input validation with Spring Framework (CVE-2022-22950).

Summary IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a denial of service, caused by improper input validation in VMware Tanzu Spring Framework CVE-2022-22950. This appears in the Java code used by some of our service components. Please read the details for...

Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a data binding rules security weakness in Spring Framework (CVE-2022-22968)

Summary IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a Spring framework data binding rules vulnerability, where case sensitive patterns for disallowedFields cause weaker than expected security CVE-2022-22968. Spring Framework is used by some of the java...

Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to improper input validation in Spring Framework (CVE-2022-22950)

Summary IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a denial of service, caused by improper input validation in VMware Tanzu Spring Framework CVE-2022-22950. Spring Framework is used in Watson Speech Services to build our STT and TTS java services Please read...

Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965)

Summary IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is affected but not classified as vulnerable to a remote code execution in Spring Framework CVE-2022-22965 as it does not meet all of the following criteria: 1. JDK 9 or higher, 2. Apache Tomcat as the Servlet container, 3...

A Bootiful Podcast: Mario Fusco, the Drools rules engine project lead and fellow Java Champion

Hi, Spring fans! In this episode I talk to Drools lead Mario Fusco @mariofusco about the rules engine Drools and its integrations with Spring, Olivetti computers, and so much more...

A Bootiful Podcast: Mario Fusco, the Drools rules engine project lead and fellow Java Champion

Hi, Spring fans! In this episode I talk to Drools lead Mario Fusco @mariofusco about the rules engine Drools and its integrations with Spring, Olivetti computers, and so much more...

Security Bulletin: IBM Sterling Partner Engagement Manager is vulnerable to security bypass due to Spring Security (CVE-2022-31692)

Summary IBM Sterling Partner Engagement Manager has addressed a vulnerablity in Spring Security. Vulnerability Details CVEID:CVE-2022-31692 DESCRIPTION: VMware Tanzu Spring Security could allow a remote attacker to bypass security restrictions, caused by a flaw when using forward or include...

Security Bulletin: IBM Sterling Partner Engagement Manager is vulnerable unauthorized privilege escalation due to Spring Security (CVE-2022-31690)

Summary IBM Sterling Partner Engagement Manager has addressed a vulnerablity in Spring Security that allows a remote attacker to gain elevated privileges on the system. Vulnerability Details CVEID:CVE-2022-31690 DESCRIPTION: VMware Tanzu Spring Security could allow a remote attacker to gain...

This Week in Spring - January 9th, 2023

Hi, Spring fans! As I write this Im on a plane winging my way to Helsinki, Finland. A new year and new journeys begin. Its going to be cold there. Wish me luck! Do you know what always warms me up? The thrill of learning. And this weeks no different. This week weve got some good stuff line up so...

A Bootiful Podcast: Spring legend Ramnivas Laddad

Hi, Spring fans! In this installment, Josh Long @starbuxman talks to Spring and cloud legend, Spring Cloud Connectors founder, and Cloud Foundry founder, Ramnivas Laddad @ramnivas...

Exploit for Code Injection in Vmware Spring_Framework

Spring4Shell-CVE-2022-22965-POC bash ghost㉿uchiha:$ ./exp...

This Week in Spring - Jan 3rd, 2023

Hi, Spring fans! Happy new year! Its 2023 already! Who saw that comin? I sure didnt. This year promises to be more amazing than ever, and I cant wait to be a part of it. As usual, the first week of January is when we mark the date of the first installment of this humble roundup, This Week in...

Security Bulletin: IBM Tivoli Monitoring is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965)

Summary IBM Tivoli Monitoring is affected but not classified as vulnerable to a remote code execution in Spring Framework CVE-2022-22965 as it does not meet all of the following criteria: 1. JDK 9 or higher, 2. Apache Tomcat as the Servlet container, 3. Packaged as WAR in contrast to a Spring Boo...