CVE-2022-39311

GoCD is a continuous delivery server. GoCD helps you automate and streamline the build-test-release cycle for continuous delivery of your product. GoCD versions prior to 21.1.0 are vulnerable to remote code execution on the server from a malicious or compromised agent. The Spring RemoteInvocation...

Metasploit Wrap-Up

Spring Cloud Gateway RCE This week, a new module that exploits a code injection vulnerability in Spring Cloud Gateway CVE-2022-22947 has been added by @Ayantaker. Versions 3.1.0 and 3.0.0 to 3.0.6 are vulnerable if the Gateway Actuator endpoint is enabled, exposed and unsecured. The module sends ...

Exploit for CVE-2022-41852

Remote Code Execution in JXPath Library CVE-2022-41852 Proof...

PT-2022-24893 · Unknown +1 · Spring Remoteinvocation +1

Name of the Vulnerable Software and Affected Versions: GoCD versions prior to 21.1.0 Description: GoCD is a continuous delivery server that automates and streamlines the build-test-release cycle for continuous delivery of a product. The issue allows remote code execution on the server from a...

GoCD 代码问题漏洞

GoCD is a continuous delivery server. A security vulnerability exists in GoCD versions 19.2.0 through 19.11.0, which stems from a Spring RemoteInvocation endpoint exposed for proxy communication that allows deserialization of arbitrary java objects, which can be exploited by an attacker to execut...

A Bootiful Podcast: Google mad scientist Josh Suereth on Observability with OpenTelemetry, building better build tools, and so much more

Hi, Spring fans! In this installment, Josh Long @starbuxman looks at the latest and greatest in Spring Boot 3 AOT, then talks to Googles Josh Suereth @jsuereth about observability with OpenTelemetry, building better build tools, and so much more. Want to learn more about Spring Boot and the wider...

Observability with Spring Boot 3

The Spring Observability Team has been working on adding observability support for Spring Applications for quite some time, and we are pleased to inform you that this feature will be generally available with Spring Framework 6 and Spring Boot 3! What is observability? In our understanding, it is...

Spring Cloud Gateway Remote Code Execution

This module exploits an unauthenticated remote code execution vulnerability in Spring Cloud Gateway versions = 3.1.0 and 3.0.0 to 3.0.6. The vulnerability can be exploited when the Gateway Actuator endpoint is enabled, exposed and unsecured. An unauthenticated attacker can use SpEL expressions to...

org.apache.camel:camel-shiro (=2.5.0), org.apache.shiro.samples:samples-aspectj (=1.0.0-incubating) +29 more potentially affected by CVE-2022-40664 via org.apache.shiro:shiro-core (=1.0.0-incubating)

org.apache.shiro:shiro-core MAVEN version =1.0.0-incubating is affected by a known vulnerability. The following packages have a transitive dependency on org.apache.shiro:shiro-core and may be impacted: - org.apache.camel:camel-shiro =2.5.0 - org.apache.shiro.samples:samples-aspectj...

This Week in Spring - October 11th, 2022

Hi, Spring fans! Welcome to another installment of This Week in Spring! I write this installment as I pack and prepare for my trip to Antwerp, Belgium, for the always-amazing Devoxx show in Antwerp, Belgium. Ive so missed this show over the pandemic and am so looking forward to returning. I hope ...

Spring Tips: Spring Boot & Apache Kafka

Hi, Spring fans! In this installment of Spring Tips, I look at the venerable Apache Kafka broker and its integrations at various level of abstraction in the Spring Boot ecosystem. Want to learn more about event driven architectures, AOT and GraalVM, Apache Kafka, and Spring Boot? SpringOne 2022 i...

com.liferay:com.liferay.css.builder (>=1.0.8 <=1.0.14), com.liferay:com.liferay.deployment.helper (>=1.0.0 <=1.0.2) +8 more potentially affected by CVE-2022-41414 via com.liferay.portal:portal-impl (=7.0.0-nightly)

com.liferay.portal:portal-impl MAVEN version =7.0.0-nightly is affected by a known vulnerability. The following packages have a transitive dependency on com.liferay.portal:portal-impl and may be impacted: - com.liferay:com.liferay.css.builder =1.0.8, =1.0.0, =1.0.6, =1.0.3, =1.0.3, =1.0.47,...

A Bootiful Podcast: Spring and Java community legend Marten Deinum

Hi, Spring fans! In this installment, Josh Long @starbuxman talks to longtime Spring community member and legend Marten Deinum @mdeinum about scuba diving, software, Spring, community, and more. Also: I fixed the odd silence in the middle of the last few episodes! thanks for suffering through it...

Security Bulletin: IBM Cloud Pak for Business Automation is affected but not classified as vulnerable by a remote code execution in Spring Framework [CVE-2022-22965]

Summary IBM Cloud Pak for Business Automation is affected but not classified as vulnerable to a remote code execution in Spring Framework as it does not meet all of the following criteria: 1. JDK 9 or higher, 2. Apache Tomcat as the Servlet container, 3. Packaged as WAR in contrast to a Spring Bo...

ai.djl.spring:djl-spring-boot-starter-tensorflow-auto (>=0.15 <=0.18), ai.djl.tensorflow:tensorflow-api (>=0.15.0 <=0.18.0) +7127 more potentially affected by CVE-2022-3171 via com.google.protobuf:protobuf-java (>=3.17.0-rc-1 <=3.19.5)

com.google.protobuf:protobuf-java MAVEN version =3.17.0-rc-1, =0.15, =0.15.0, =0.15.0, =0.15.0, =3.32.1.6, =3.32.1.6-1-2.1, =3.32.1.6-1-3.0, =3.34.0.3-1-2.2, =3.34.0.3-1-2.2, =3.34.0.3-1-3.0, =3.34.0.3-1-2.2, =3.34.0.3-1-3.0, =3.0.1, =2.8.4-alpha1, =3.0.1-alpha1 and more Source cves: CVE-2022-317...

This Week in Spring - October 4th, 2022

Hi, Spring fans! Welcome to another installment of This Week in Spring! Its October 4th, 2022, and Im in Austin, TX, for the new version of show formerly known as the Kafka Summit, here to talk to folks about the amazing opportunities for Spring Boot and Apache Kafka. On the 12th, Ill be in...

Vmware Spring Framework Remote Code Execution (CVE-2020-5398)

A remote code execution vulnerability exists in VMware Spring Framework. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system...

Security Bulletin: IBM Case Manager is affected but not classified as vulnerable to a remote code execution in Spring Framework [CVE-2022-22965]

Summary IBM Case Manager is affected but not classified as vulnerable to a remote code execution in Spring Framework CVE-2022-22965. To be vulnerable a product must meet all of the following criterias: 1. JDK 9 or higher, 2. Apache Tomcat as the Servlet container, 3. Packaged as WAR in contrast t...

CVE-2022-23726

PingCentral versions prior to listed versions expose Spring Boot actuator endpoints that with administrative authentication return large amounts of sensitive environmental and application information...

CVE-2022-23726

PingCentral versions prior to listed versions expose Spring Boot actuator endpoints that with administrative authentication return large amounts of sensitive environmental and application information...