PT-2022-26153 · Grails · Grails Spring Security Core Plugin

Name of the Vulnerable Software and Affected Versions: Grails Spring Security Core plugin versions 1.x Grails Spring Security Core plugin versions 2.x Grails Spring Security Core plugin versions 3.0.0 through 3.3.1 Grails Spring Security Core plugin versions 4.0.0 through 4.0.4 Grails Spring...

CVE-2022-41923 Grails Spring Security Core plugin vulnerable to privilege escalation

Grails Spring Security Core plugin is vulnerable to privilege escalation. The vulnerability allows an attacker access to one endpoint i.e. the targeted endpoint using the authorization requirements of a different endpoint i.e. the donor endpoint. In some Grails framework applications, access to t...

This Week in Spring - November 22nd, 2022 - Spring Boot 3 and Thanksgiving edition!

Hi, Spring fans! Its Tuesday, the 22nd of November, 2022, as I write this, which means were two days away from Spring Boot 3 and Thanksgiving. Spring Boot 3, Ive written about in abundance so I wont rehash that. If you want to learn more about some of the amazing new features in Spring Framework ...

Exploit for Code Injection in Vmware Spring_Cloud_Gateway

CVE-2022-22947 Usage: python3 CVE-2022-22947.py url...

This Week in Spring - November 15th, 2022

Hi, Spring fans! Howre you doin this fine Tuesday morning? Ive returned home to San Francisco and am up and at em nice and early to catch a flight to Seattle, where Ill speak at the Java User Group tonight. If youre in Seattle, dont miss it! Weve got a ton of cool stuff to get into this week, but...

NTT DATA TERASOLUNA 输入验证错误漏洞

NTT DATA TERASOLUNA is an NTT DATA framework from NTT DATA Corporation in Japan. A security vulnerability exists in NTT DATA TERASOLUNA Global Framework version 1.0.0 and TERASOLUNA Server Framework for Java Rich versions 2.0.0.2 through 2.0.5.1, which stems from improper input validation in the...

The vulnerability of the SimpleEvaluationContext class in the Spring Data Commons data management platform and the Spring Data REST framework for creating web services allows a attacker to execute arbitrary code.

The vulnerability of the SimpleEvaluationContext class in the Spring Data Commons data management platform and the Spring Data REST web framework is related to insufficient validation of input data. Exploiting this vulnerability allows an attacker to execute arbitrary code by sending specially...

JVN#54728399: TERASOLUNA Global Framework and TERASOLUNA Server Framework for Java (Rich) vulnerable to ClassLoader manipulation

The past versions of TERASOLUNA Global Framework and TERASOLUNA Server Framework for Java Rich are vulnerable to a ClassLoader manipulation vulnerability due to using the old version of Spring Framework which contains the vulnerability. According to the developer, this vulnerability is caused by ...

io.github.talelin:lin-cms-spring-boot-autoconfigure (>=0.0.1-RC1 <=0.2.0-RELEASE), io.github.talelin:lin-cms-spring-boot-starter (>=0.0.1-RC1 <=0.2.0-RELEASE) potentially affected by CVE-2022-44244 via io.github.talelin:lin-cms-core (>=0.0.1-RC2 <=0.2.0-RELEASE)

io.github.talelin:lin-cms-core MAVEN version =0.0.1-RC2, =0.0.1-RC1, =0.0.1-RC1, =0.2.0-RELEASE Source cves: CVE-2022-44244 Source advisory: OSV:GHSA-4VRC-Q7M6-VQ7W...

Updates on Spring Cloud Stream 4.0.0 Schema Registry Support

This blog gives an update on the Schema Registry support that is part of Spring Cloud Stream version 4.0.x. Many enterprises use a schema registry for schema evolution use cases, such as the Confluent Schema Registry. Starting with version 1.1.x of Spring Cloud Stream until 3.0.0, we provided a...

Exploit for Code Injection in Vmware Spring_Framework

Target machine bash docker run -itd -p 80:8080 vulfocus/spr...

This Week in Spring - November 8th, 2022

Hi, Spring fans! Welcome to another installment of This Week in Spring! Ive been busy this last week! Ive been visiting with customers and talking to the community here in South East Asia. I was in Malaysia last week, and now Im in Bangkok, Thailand. Im near the end of my time here in SE Asia,...

CVE-2022-31691

Spring Tools 4 for Eclipse version 4.16.0 and below as well as VSCode extensions such as Spring Boot Tools, Concourse CI Pipeline Editor, Bosh Editor and Cloudfoundry Manifest YML Support version 1.39.0 and below all use Snakeyaml library for YAML editing support. This library allows for some...

CVE-2022-31691

Spring Tools 4 for Eclipse version 4.16.0 and below as well as VSCode extensions such as Spring Boot Tools, Concourse CI Pipeline Editor, Bosh Editor and Cloudfoundry Manifest YML Support version 1.39.0 and below all use Snakeyaml library for YAML editing support. This library allows for some...

Remote code execution

Spring Tools 4 for Eclipse version 4.16.0 and below as well as VSCode extensions such as Spring Boot Tools, Concourse CI Pipeline Editor, Bosh Editor and Cloudfoundry Manifest YML Support version 1.39.0 and below all use Snakeyaml library for YAML editing support. This library allows for some...

Authorization Bypass

Spring Security Web is vulnerable to Authorization Bypass. The vulnerability exists in AuthorizationFilter because it incorrectly extends OncePerRequestFilter which allows an attacker to bypass authorization rules via forward or include dispatcher types...

Privilege Escalation

Spring Security OAuth2 Client is vulnerable to Privilege Escalation. The vulnerability exists in the getTokenResponse function in multiple files due to the authorization server responding with an OAuth2 access token response containing an empty scope list which allows an attacker to modify reques...

CVE Report Published for Spring Tools

We have released STS 4.16.1 for Eclipse and Spring VSCode extensions 1.40.0 to address the following CVE report: - CVE-2022-31691: Remote Code Execution via YAML editors in STS4 extensions for Eclipse and VSCode Please review the information in the CVE report and upgrade immediately. Eclipse: STS...

Spring Tools 代码注入漏洞

Spring Tools is a series of plug-ins for Spring that are used to assist developers in writing programs. A security vulnerability exists in Spring Tools that stems from the Snakeyaml library, which supports YAML editing, allowing for some special syntax in YAML that could allow an attacker to...

PT-2022-20891 · Spring · Spring Boot Tools +1

Name of the Vulnerable Software and Affected Versions: Spring Tools 4 for Eclipse version 4.16.0 and below Spring Boot Tools version 1.39.0 and below Concourse CI Pipeline Editor version 1.39.0 and below Bosh Editor version 1.39.0 and below Cloudfoundry Manifest YML Support version 1.39.0 and bel...