Code injection

Applications that allow HTTP PATCH access to resources exposed by Spring Data REST in versions 3.6.0 - 3.5.5, 3.7.0 - 3.7.2, and older unsupported versions, if an attacker knows about the structure of the underlying domain model, they can craft HTTP requests that expose hidden entity attributes...

CVE-2022-31679

Applications that allow HTTP PATCH access to resources exposed by Spring Data REST in versions 3.6.0 - 3.5.5, 3.7.0 - 3.7.2, and older unsupported versions, if an attacker knows about the structure of the underlying domain model, they can craft HTTP requests that expose hidden entity attributes...

CVE-2022-31679

Applications that allow HTTP PATCH access to resources exposed by Spring Data REST in versions 3.6.0 - 3.5.5, 3.7.0 - 3.7.2, and older unsupported versions, if an attacker knows about the structure of the underlying domain model, they can craft HTTP requests that expose hidden entity attributes...

CVE-2022-31679

CVE-2022-31679 affects VMware Spring Data REST. The issue allows an attacker who knows the domain model to craft HTTP PATCH requests that expose hidden entity attributes. Affected versions include Spring Data REST 3.5.5 and older, 3.6.0–3.6.6, and 3.7.0–3.7.2. The central root cause is improper h...

Spring Session 2022.0.0-M3 Released

On behalf of the team, I’m pleased to announce the release of Spring Session 2022.0.0-M3. These releases deliver, enhancements, bug fixes, and dependency upgrades. For your convenience, Spring Boot will pick up these artifacts with its upcoming releases. The following modules were updated as part...

VMware Spring Data REST 安全漏洞

VMware Spring Data REST is a data interface from VMware, Inc. It is used to build on top of the Spring Data repository, analyze an application's domain model, and expose hypermedia-driven HTTP resources for aggregations contained in the model. A security vulnerability exists in VMware Spring Data...

PT-2022-20886 · Spring · Spring Data Rest

Name of the Vulnerable Software and Affected Versions: Spring Data REST versions 3.5.5 and earlier Spring Data REST versions 3.6.0 through 3.6.6 Spring Data REST versions 3.7.0 through 3.7.2 Description: The issue allows attackers to expose hidden entity attributes by crafting HTTP requests, if...

This Week in Spring - September 20th, 2022

Hi, Spring fans! Welcome to another installment of This Week in Spring wherein I endeavor as best as I can to capture the latest-and-greatest in the wide, wacky, and wonderful world of Springdom! Naturally, I fail miserably basically every week. Theres no way I could hope to capture everything of...

Spring Data REST Vulnerability (CVE-2022-31679)

Updates - 09-19 Vulnerability announced here and Spring Data REST 3.6.7 and 3.7.3 released - 09-19 Blog post updated to refer to the CVE report published The Spring Data 2021.1.7 and 2021.2.3 releases shipped on September 19th contained releases for Spring Data REST 3.6.7 and 3.7.3 which include...

Security Bulletin: Rational Test Control Panel component in Rational Test Virtualization Server and Rational Test Workbench is vulnerable to a denial of service attack in Spring Framework (CVE-2022-22971)

Summary Spring Framework is vulnerable to a security issue affecting Rational Test Control Panel Vulnerability Details CVEID:CVE-2022-22971 DESCRIPTION: Vmware Tanzu Spring Framework is vulnerable to a denial of service, caused by a flaw with a STOMP over WebSocket endpoint. By sending a...

A Bootiful Podcast: big data legend, former Pivot, and friend to the Spring community, Tim Spann

Hi, Spring fans! In this installment, Josh Long @starbuxman talks to big data legend, former Pivot, and friend to the Spring community, Tim Spann @PaaSDev, about big data, StreamNative, and Apache Pulsar, and Spring for Apache Pulsar. Get your notebooks ready for this one, class!...

Security Bulletin: IBM Sterling Control Center is vulnerable to denial of service by authenticated user due to Spring Framework (CVE-2022-22971)

Summary Spring Framework is vulnerable to a denial of service, caused by a flaw with a STOMP over WebSocket endpoint. By sending a specially-crafted request, a remote authenticated attacker could exploit this vulnerability to cause a denial of service condition. IBM Sterling Control Center uses...

Security Bulletin: IBM Sterling Control Center is vulnerable to denial of servicedue to Spring Framework (CVE-2022-22970)

Summary Spring Framework is vulnerable to a denial of service, caused by a flaw in the handling of file uploads. By sending a specially-crafted request, a remote authenticated attacker could exploit this vulnerability to cause a denial of service condition. IBM Sterling Control Center uses Spring...

Synchrony Proxy: spring-beans 5.3.19 is vulnerable to CVE-2022-22970

h3. Issue Summary spring-beans is vulnerable to CVE-2022-22970 This is reproducible on Data Center: yes h3. Steps to Reproduce Install Confluence 7.13.9 Step 2 h3. Expected Results Expect that synchrony-proxy/WEB-INF/lib contains spring-beans-5.3.20.jar or higher h3. Actual Results...

This Week in Spring - September 13th, 2022

Hi, Spring fans! Welcome to another installment of This Week in Spring! Weve got a lot of good stuff to get to so lets dive right into it! A Bootiful Podcast: Hashicorps Rosemary Wang on securing the intersection of apps and ops with Hashicorp Vault a nice video by my colleague Dan Vega: Spring...

springframework: malicious input leads to insertion of additional log entries

In Spring Framework versions 5.3.0 - 5.3.10, 5.2.0 - 5.2.17, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries...

This Week in Spring - September 5th, 2022

Hi, Spring fans! How are you? Its a fantastic Tuesday, the 5th of September, 2022, and I couldnt be happier. Its also Labor Day weekend here in the US. It marks the unofficial end of summer, which is a bit sad. But, on the upside, its a four-day weekend for me! Im technically off today. So, youll...

Vulnerabilities fixed in NetApp Active IQ Unified Manager

NetApp has fixed vulnerabilities in the Spring Security component of Active IQ Unified Manager for Windows, Linux, and VMware vSphere. The vulnerabilities allow a malicious party to execute attacks that result in the following categories of damage: Denial-of-Service DoS Manipulation of data...

kkFileView 路径遍历漏洞

Keking kkFileView is a Spring-Boot project for online previewing of files and documents from Keking Technology Keking. A path traversal vulnerability exists in kkFileView v4.0.0, which is caused by an arbitrary file deletion vulnerability found in the fileName parameter of...

A Bootiful Podcast: Dr. Kris De Volder on Spring Tools, VS Code, and so much more

Hi, Spring fans! In this episode Josh Long @starbuxman talks to Dr. Kris De Volder, a longtime member of the Spring Tools team, about all the cool stuff hes worked on and is going to work on. And then we get knee deep into a discussion around building IDE integrations...