springframework: Authorization Bypass in RegexRequestMatcher

A flaw was found in Spring Security. When using RegexRequestMatcher, an easy misconfiguration can bypass some servlet containers. Applications using RegexRequestMatcher with . in the regular expression are possibly vulnerable to an authorization bypass...

springframework: Additional Log Injection in Spring Framework (follow-up to CVE-2021-22096)

In Spring Framework versions 5.3.0 - 5.3.13, 5.2.0 - 5.2.18, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries. This is a follow-up to CVE-2021-22096 that protects against additional types of input and in more...

springframework: DoS with STOMP over WebSocket

A flaw was found in Spring Framework Applications. Applications that use STOMP over the WebSocket endpoint are vulnerable to a denial of service attack caused by an authenticated user...

springframework: DoS via data binding to multipartFile or servlet part

A flaw was found in Spring Framework. Applications that handle file uploads are vulnerable to a denial of service DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object...

Framework: Data Binding Rules Vulnerability

In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the fiel...

spring-security: Denial-of-Service (DoS) attack via initiation of Authorization Request

Spring Security versions 5.5.x prior to 5.5.1, 5.4.x prior to 5.4.7, 5.3.x prior to 5.3.10 and 5.2.x prior to 5.2.11 are susceptible to a Denial-of-Service DoS attack via the initiation of the Authorization Request in an OAuth 2.0 Client Web and WebFlux application. A malicious user or attacker c...

Important: Red Hat Security Advisory: Red Hat Fuse 7.11.0 release and security update

A minor version update from 7.10 to 7.11 is now available for Red Hat Fuse. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scorin...

springframework: BCrypt skips salt rounds for work factor of 31

A flaw was found in Spring Framework. The encoder does not perform any salt rounds when using the BCrypt class with the maximum work factor 31 due to an integer overflow error...

Spring Shell 2.1.0-RC1 is now available

On behalf of the team and everyone who has contributed, Im happy to announce that Spring Shell 2.1.0-RC1 has been released and is now available from . Please see the release notes for more details. Thanks to all those who have contributed with issue reports and pull requests. How can you help?...

br.com.ideotech:draw-out-spring-boot-aop (>=1.5.19-1.RELEASE <=1.5.19.RELEASE), br.com.ideotech:draw-out-spring-boot-lib (>=1.5.19-1.RELEASE <=1.5.19.RELEASE) +1769 more potentially affected by CVE-2022-33980 via org.apache.commons:commons-configuration2 (>=2.4 <=2.7)

org.apache.commons:commons-configuration2 MAVEN version =2.4, =1.5.19-1.RELEASE, =1.5.19-1.RELEASE, =1.5.19-1.RELEASE, =1.5.0, =1.9.17-0, =1.0.0-2024, =1.0.0-2024, =1.0.0-2024, =1.0.0, =1.0.1-2024, =3.5.0-jdk17-1.0.0, =3.5.0-jdk17-2.0.0 and more Source cves: CVE-2022-33980 Source advisory:...

cc.cc4414:cc-spring-cloud-starter (>=0.3.0 <=0.8.0), cc.cc4414:cc-spring-cloud-starter-gateway (>=0.5.0 <=0.8.0) +1141 more potentially affected by CVE-2021-43116 via com.alibaba.nacos:nacos-client (>=0.1.0 <=2.0.3)

com.alibaba.nacos:nacos-client MAVEN version =0.1.0, =0.3.0, =0.5.0, =1.0.2, =1.0.0, =1.2.1, =1.0.4.R, =2.4.0, =1.1, =1.1, =1.0.0.RELEASE, =0.0.2, =0.0.2, =0.0.4.BETA, =1.0.0, =2.1.0 and more Source cves: CVE-2021-43116 Source advisory: OSV:GHSA-2G86-R6W2-WQQR...

Mini-Tmall 安全漏洞

Mini-Tmall is a Spring Boot-based mini-Tmall mall , fast deployment run , suitable for use as a Bijou template . A security vulnerability exists in Mini-Tmall v1.0. An attacker exploits the vulnerability to perform an insecure privilege attack via tomcat-embed-jasper...

Security Bulletin: IBM Tivoli Netcool Impact is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965)

Summary IBM Tivoli Netcool Impact is affected but not classified as vulnerable to a remote code execution in Spring Framework CVE-2022-22965.Spring is shipped as part of ActiveMQ package but is not used by the product. The fix removes Spring from the product. Vulnerability Details CVEID:...

This Week in Spring - July 5th, 2022

Hi, Spring fans! Welcome to another installment of This Week in Spring! This weeks all sorts of weird for me. Its Tuesday! But here in the US we just celebrated the 4th of July, and I, like many Americans, took a long weekend. Took some time with the family to do a little road trip up north to...

A Bootiful Podcast: Spring Developer Advocate Dan Vega

Hi, Spring fans! In this installment, Josh Long @starbuxman talks to fellow Spring Developer Advocate Dan Vega @therealdanvega...

CVE-2022-22980

A flaw was found in the Spring Data MongoDB. This flaw allows an attacker to perform code injection when an application uses some annotations/query methods with Spring Expression Language SpEL expressions...

Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Spring Framework

Summary IBM Watson Discovery for IBM Cloud Pak for Data contains a vulnerable version of Spring Framework. Vulnerability Details CVEID: CVE-2022-22971 DESCRIPTION: Vmware Tanzu Spring Framework is vulnerable to a denial of service, caused by a flaw with a STOMP over WebSocket endpoint. By sending...

This Week in Spring - June 28th, 2022

Hi, Spring fans! Welcome to another installment of This Week in Spring! Im writing this from the Big Apple, New York City! Im here for the SpringOne Tour 2022 NYC event. This is my first time back in New York City since before the pandemic and it has been so much fun. Ive been catching up with...

Security Bulletin: IBM QRadar SIEM is affected by a remote code execution in Spring Framework (CVE-2022-22963, CVE-2022-22965, CVE-2022-22950)

Summary IBM QRadar SIEM is affected but not vulnerable to a remote code execution in Spring Framework CVE-2022-22965 as it does not meet all of the following criteria: 1. JDK 9 or higher, 2. Apache Tomcat as the Servlet container, 3. Packaged as WAR in contrast to a Spring Boot executable jar, 4...

Spring Tips: Learn Spring for GraphQL (the last two episodes: parts 7 and 8)

Hi, Spring fans! In thi^^^ these installments, we continue our series introducing the Spring for GraphQL project. This series features Spring for GraphQL lead Rossen Stoyanchev @rstoya05 - whose work you may know from basically everything in the wide and wonderful world of Springdom having to do...