ai.hyacinth.framework:core-service-api-support (=0.5.24), ai.hyacinth.framework:core-service-trigger-server (=0.5.24) +96 more potentially affected by CVE-2021-22044 via org.springframework.cloud:spring-cloud-openfeign-core (=2.2.0.RELEASE)

org.springframework.cloud:spring-cloud-openfeign-core MAVEN version =2.2.0.RELEASE is affected by a known vulnerability. The following packages have a transitive dependency on org.springframework.cloud:spring-cloud-openfeign-core and may be impacted: - ai.hyacinth.framework:core-service-api-suppo...

cc.vihackerframework:vihacker-cloud-starter (>=1.0.4.R <=1.0.6.R), cc.vihackerframework:vihacker-feign-starter (>=1.0.4.R <=1.0.6.R) +330 more potentially affected by CVE-2021-22044 via org.springframework.cloud:spring-cloud-openfeign-core (>=3.0.0 <=3.0.4)

org.springframework.cloud:spring-cloud-openfeign-core MAVEN version =3.0.0, =1.0.4.R, =1.0.4.R, =1.2.12, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =2.1.0 and more Source cves: CVE-2021-22044 Source advisory: OSV:GHSA-PF94-6V2V-CM3J...

cn.kduck:kduck-core (=1.1.0), cn.kduck:kduck-security (=1.1.0) +131 more potentially affected by CVE-2021-22097 via org.springframework.amqp:spring-amqp (>=2.3.0 <=2.3.10)

org.springframework.amqp:spring-amqp MAVEN version =2.3.0, =1.3.20, =1.0.0, =1.7, =0.0.1, =0.1.0, =0.0.1, =0.0.1, =0.2.1 - com.lwohvye:eladmin-system =2.6.14 and more Source cves: CVE-2021-22097 Source advisory: OSV:GHSA-FX7F-RJQJ-52PJ...

be.personify.iam:personify-api (>=1.2.6.RELEASE <=1.3.1.RELEASE), be.personify.iam:personify-frontend (>=1.2.6.RELEASE <=1.3.0.RELEASE) +58 more potentially affected by CVE-2021-22047 via org.springframework.data:spring-data-rest-core (>=3.5.0 <=3.5.5)

org.springframework.data:spring-data-rest-core MAVEN version =3.5.0, =1.2.6.RELEASE, =1.2.6.RELEASE, =1.2.5.RELEASE, =5.12.1, =5.12.0, =5.12.0, =5.12.0, =5.12.0, =2.1.0, =2.1.0, =2.1.0, =2.1.2 and more Source cves: CVE-2021-22047 Source advisory: OSV:GHSA-4926-QPXG-6R3W...

Exposure of Resource to Wrong Sphere in Spring Cloud OpenFeign

In Spring Cloud OpenFeign 3.0.0 to 3.0.4, 2.2.0.RELEASE to 2.2.9.RELEASE, and older unsupported versions, applications using type-level @RequestMappingannotations over Feign client interfaces, can be involuntarily exposing endpoints corresponding to @RequestMapping-annotated interface methods...

Deserialization of Untrusted Data in Spring AMQP

In Spring AMQP versions 2.2.0 - 2.2.18 and 2.3.0 - 2.3.10, the Spring AMQP Message object, in its toString method, will deserialize a body for a message with content type application/x-java-serialized-object. It is possible to construct a malicious java.util.Dictionary object that can cause 100%...

com.github.paulcwarren:content-rest-spring-boot-starter (=1.2.0), com.github.paulcwarren:spring-content-rest (=1.2.0) +18 more potentially affected by CVE-2021-22047 via org.springframework.data:spring-data-rest-core (>=3.4.0 <=3.4.13)

org.springframework.data:spring-data-rest-core MAVEN version =3.4.0, =1.5.0, =1.5.0, =1.5.0, =0.9.0, =0.3.0, =1.5.0, =2.4.0, =2.7.3, =2.7.3, =2.7.3, =2.7.3, =2.7.4 and more Source cves: CVE-2021-22047 Source advisory: OSV:GHSA-4926-QPXG-6R3Whttps://vulners.co...

br.com.itsme:commons (>=0.0.4-ALPHA <=0.0.5-ALPHA), cn.amossun:starter-event (>=1.2.0-RELEASE <=1.2.1-RELEASE) +216 more potentially affected by CVE-2021-22097 via org.springframework.amqp:spring-amqp (>=2.2.0.RELEASE <=2.2.18.RELEASE)

org.springframework.amqp:spring-amqp MAVEN version =2.2.0.RELEASE, =0.0.4-ALPHA, =1.2.0-RELEASE, =0.2.0, =0.2.0, =0.2.0, =0.0.9, =1.1, =0.1.0, =0.1.0, =0.2.0 - com.farao-community.farao:gridcapa-dichotomy-runner-app =0.1.0 - com.farao-community.farao:gridcapa-dichotomy-runner-spring-boot-starter...

GHSA-4926-QPXG-6R3W Exposure of Resource to Wrong Sphere in Spring Data REST

In Spring Data REST versions 3.4.0 - 3.4.13, 3.5.0 - 3.5.5, and older unsupported versions, HTTP resources implemented by custom controllers using a configured base API path and a controller type-level request mapping are additionally exposed under URIs that can potentially be exposed for...

cc.ecore:spring-jfinal (=0.0.1), cc.ecore:spring-jfinal-plugin (>=0.1.0 <=0.1.2) +162 more potentially affected by CVE-2021-31649 via com.jfinal:jfinal (>=1.4 <=4.9.08)

com.jfinal:jfinal MAVEN version =1.4, =0.1.0, =0.1.1, =1.0.0, =1.0, =3.30.7-RELEASE, =0.0.8, =0.0.8, =0.0.8, =1.29.1.trial, =1.29.1.trial, =1.45.0 - cn.dreampie:jfinal-akka =0.1 - cn.dreampie:jfinal-captcha =0.1 and more Source cves: CVE-2021-31649 Source advisory: OSV:GHSA-H3J8-FR5Q-8RFR...

Improper Privilege Management in Spring Framework

In Spring Framework, versions 5.2.x prior to 5.2.15 and versions 5.3.x prior to 5.3.7, a WebFlux application is vulnerable to a privilege escalation: by recreating the temporary storage directory, a locally authenticated malicious user can read or modify files that have been uploaded to the WebFl...

africa.absa:inception-api (>=1.1.0 <=1.2.0), africa.absa:inception-application (>=1.1.0 <=1.2.0) +15986 more potentially affected by CVE-2021-22118 via org.springframework:spring-web (>=5.3.0 <=5.3.6)

org.springframework:spring-web MAVEN version =5.3.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =4.4.0.2, =4.6.0.0 - ai.apiverse:apipulse =1.0.1 and more Source cves: CVE-2021-22118 Source advisory: OSV:GHSA-GFWJ-FWQJ-FP3V...

ai.ylyue:yue-library-auth-client (>=j8.2.3.0 <=j11.2.3.3), ai.ylyue:yue-library-auth-service (>=j8.2.3.0 <=j11.2.3.3) +3253 more potentially affected by CVE-2021-22118 via org.springframework:spring-web (>=5.2.0.RELEASE <=5.2.14.RELEASE)

org.springframework:spring-web MAVEN version =5.2.0.RELEASE, =j8.2.3.0, =j8.2.3.0, =j8.2.3.0, =j8.2.3.0, =j8.2.3.0, =j8.2.3.0, =j8.2.3.0, =j8.2.3.0, =j8.2.3.0, =j8.2.3.0, =2.3.0.RELEASE, =2.3.0.RELEASE, =2.3.0.RELEASE, =2.3.0.RELEASE, =2.3.1.RELEASE -...

GHSA-GFWJ-FWQJ-FP3V Improper Privilege Management in Spring Framework

In Spring Framework, versions 5.2.x prior to 5.2.15 and versions 5.3.x prior to 5.3.7, a WebFlux application is vulnerable to a privilege escalation: by recreating the temporary storage directory, a locally authenticated malicious user can read or modify files that have been uploaded to the WebFl...

Security Bulletin: IBM Sterling Connect:Direct for UNIX is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965)

Summary IBM Sterling Connect:Direct for UNIX is affected but not classified as vulnerable to a remote code execution in Spring Framework CVE-2022-22965 as it does not meet all of the following criteria: 1. JDK 9 or higher, 2. Apache Tomcat as the Servlet container, 3. Packaged as WAR in contrast ...

GHSA-4PH4-Q9R5-6WM6 Deserialization of Untrusted Data in Spring Batch

When configured to enable default typing, Jackson contained a deserialization vulnerability that could lead to arbitrary code execution. Jackson fixed this vulnerability by blacklisting known "deserialization gadgets". Spring Batch configures Jackson with global default typing enabled which means...

ca.uhn.hapi.fhir:hapi-fhir-cli-api (=5.1.0), ca.uhn.hapi.fhir:hapi-fhir-cli-jpaserver (=5.1.0) +152 more potentially affected by CVE-2020-5411 via org.springframework.batch:spring-batch-core (>=4.0.0.RELEASE <=4.2.2.RELEASE)

org.springframework.batch:spring-batch-core MAVEN version =4.0.0.RELEASE, =3.0.0.RELEASE, =3.0.0.RELEASE, =4.2.0, =4.2.0, =3.0.0, =2020.08.001 and more Source cves: CVE-2020-5411 Source advisory: OSV:GHSA-4PH4-Q9R5-6WM6...

Deserialization of Untrusted Data in Spring Batch

When configured to enable default typing, Jackson contained a deserialization vulnerability that could lead to arbitrary code execution. Jackson fixed this vulnerability by blacklisting known "deserialization gadgets". Spring Batch configures Jackson with global default typing enabled which means...

com.aiwiown:aiwiown-spring-cache (>=1.0.0 <=1.0.2-2.0.1), com.connexta.libera:libera (>=1.0.1 <=1.1.1) +101 more potentially affected by CVE-2020-8441 via org.jyaml:jyaml (=1.3)

org.jyaml:jyaml MAVEN version =1.3 is affected by a known vulnerability. The following packages have a transitive dependency on org.jyaml:jyaml and may be impacted: - com.aiwiown:aiwiown-spring-cache =1.0.0, =1.0.1, =1.0.0, =1.0.1, =0.1.3, =0.1.2, =0.1.2, =0.1.3, =0.1.3, =0.1.2, =0.1.2, =0.1.2,...

GHSA-4WRC-F8PQ-FPQP Pivotal Spring Framework contains unsafe Java deserialization methods

Pivotal Spring Framework before 6.0.0 suffers from a potential remote code execution RCE issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. Maintainers recommend...