6707 matches found
GHSA-4WRC-F8PQ-FPQP Pivotal Spring Framework contains unsafe Java deserialization methods
Pivotal Spring Framework before 6.0.0 suffers from a potential remote code execution RCE issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. Maintainers recommend...
Pivotal Spring Framework contains unsafe Java deserialization methods
Pivotal Spring Framework before 6.0.0 suffers from a potential remote code execution RCE issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. Maintainers recommend...
Preparing for Spring Boot 3.0
Spring Boot 2.0 was the first release in the 2.x line and was published on Feburary 28th 2018. Weve just released Spring Boot 2.7 which means that, so far, weve been maintaining the 2.x line for just over 4 years. In total weve published 95 distinct releases over that timeframe! The entire Spring...
Azure Spring Apps Enterprise is now generally available
Hi, Spring fans! This is a guest post by Julia Liuson, President, Developer Division, Microsoft Azure Spring Cloud is now Azure Spring Apps We launched Azure Spring Cloud with VMware in 2019 to solve common challenges developers, IT operators, and DevOps teams face when running Spring Boot...
This Week in Spring - May 24th, 2022
Hi, Spring fans! Im in Spain for business and not just a little pleasure. Yesterday, my partner, her mother, and I went to Formentera, Spain, a little island off of Ibiza, Spain. It was amazing. Were now in Ibiza, Spain, which is a little island not far from Barcelona, Spain, on the mainland of...
Authorization Bypass
Spring Security is vulnerable to authorization bypass. The vulnerability exists in getRequestMatcherPrivilegeEvaluatorsEntry function in WebSecurity.java due to misconfiguration of privilege evaluation which allows an attacker to gain access to the system and perform unauthorized actions...
Spring Security OAuth (spring-security-oauth2) vulnerable to denial-of-service (DoS)
Overview Spring Security OAuth spring-security-oauth2 provided by VMware, Inc. contains a denial-of-service vulnerability due to uncontrolled resource consumption CWE-400. Note that Spring Security OAuth spring-security-oauth2 is no longer supported, therefore Spring Security has been developed a...
Integer Overflow
org.springframework.security:spring-security-crypto is vulnerable to integer overflows. The encoder does not perform any salt rounds when the BCrypt class is used with the maximum work factor31, allowing a local authenticated attacker to cause an integer overflow error resulting in the attacker...
ai.aitia:arrowhead-application-library-java-spring (>=4.4.0.0 <=4.4.0.1), ai.foremast.metrics:foremast-spring-boot-15x-starter (>=0.1.8 <=0.1.11) +5599 more potentially affected by CVE-2022-22978 via org.springframework.security:spring-security-web (>=3.0.0.RELEASE <=5.4.10)
org.springframework.security:spring-security-web MAVEN version =3.0.0.RELEASE, =4.4.0.0, =0.1.8, =0.1.6, =0.1.2, =0.5.0, =1.0.0, =1.0.0, =1.0.0, =0.0.2, =0.0.3, =1.1.0.RELEASE, =0.3, =0.3, =0.3, =0.3, =0.6 and more Source cves: CVE-2022-22978 Source advisory: OSV:GHSA-HH32-7344-CG2F...
africa.absa:inception-api (>=1.0.0 <=1.2.0), africa.absa:inception-codes-api (>=1.0.0 <=1.2.0) +1533 more potentially affected by CVE-2022-22978 via org.springframework.security:spring-security-core (>=5.5.0 <=5.5.6)
org.springframework.security:spring-security-core MAVEN version =5.5.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.13.0, =1.13.0, =2.2.0 - be.jidoka:jdk-keycloak-admin =1.2.0 and more Source cves: CVE-2022-22978 Source advisory:...
ai.aitia:arrowhead-application-library-java-spring (>=4.4.0.2 <=4.6.0.0), ai.ylyue:yue-library-auth-client (=j11.2.6.0) +1749 more potentially affected by CVE-2022-22978 via org.springframework.security:spring-security-core (>=5.6.0 <=5.6.3)
org.springframework.security:spring-security-core MAVEN version =5.6.0, =4.4.0.2, =1.3.1.RELEASE, =0.2.0, =0.8.3, =2.1.0.M8, =1.0.0, =2.7.0.Beta3, =2.7.0.Beta4, =2.7.0.Beta3, =2.7.0.Beta3, =2.7.0.Beta3, =2.7.0.RC1 and more Source cves: CVE-2022-22978 Source advisory: OSV:GHSA-HH32-7344-CG2F...
africa.absa:inception-oauth2-resource-server (>=1.0.0 <=1.2.0), au.org.consumerdatastandards:client-cli (>=1.13.0 <=2.4.1) +1255 more potentially affected by CVE-2022-22978 via org.springframework.security:spring-security-web (>=5.5.0 <=5.5.6)
org.springframework.security:spring-security-web MAVEN version =5.5.0, =1.0.0, =1.13.0, =1.13.0, =1.0.0, =0.0.8-alpha, =0.0.1-alpha, =1.0.4.R, =1.0.4.R, =1.0.4.R, =1.0.4.R, =1.7.26, =1.3.30, =1.1.1-alpha, =1.1.1-alpha, =0.0.3-alpha, =0.0.4-alpha-5 and more Source cves: CVE-2022-22978 Source...
ai.aitia:arrowhead-application-library-java-spring (>=4.4.0.0 <=4.4.0.1), ai.foremast.metrics:foremast-spring-boot-15x-starter (>=0.1.8 <=0.1.11) +7121 more potentially affected by CVE-2022-22978 via org.springframework.security:spring-security-core (>=2.0.0 <=5.4.10)
org.springframework.security:spring-security-core MAVEN version =2.0.0, =4.4.0.0, =0.1.8, =0.1.6, =0.1.2, =0.5.0, =1.0.0, =1.0.0, =1.0.0, =0.0.2, =0.0.3, =1.1.0.RELEASE, =0.3, =0.3, =0.3, =0.3, =0.6 and more Source cves: CVE-2022-22978 Source advisory: OSV:GHSA-HH32-7344-CG2F...
ai.aitia:arrowhead-application-library-java-spring (>=4.4.0.2 <=4.6.0.0), ai.ylyue:yue-library-auth-client (=j11.2.6.0) +1507 more potentially affected by CVE-2022-22978 via org.springframework.security:spring-security-web (>=5.6.0 <=5.6.3)
org.springframework.security:spring-security-web MAVEN version =5.6.0, =4.4.0.2, =0.2.0, =2.1.0.M8, =1.0.0, =2.7.0.Beta4, =2.7.0.Beta4, =2.7.0.Beta3, =2.7.0.Beta3, =2.7.0.Beta3, =2.7.0.Beta3, =2.7.0.Beta1, =2.7.0.Beta1, =2.7.0.Beta2 and more Source cves: CVE-2022-22978 Source advisory:...
GHSA-HH32-7344-CG2F Authorization bypass in Spring Security
In Spring Security versions 5.5.6 and 5.5.7 and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with . in the regular expression are possibly vulnerable to an authorization bypass...
Authorization bypass in Spring Security
In Spring Security versions 5.5.6 and 5.5.7 and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with . in the regular expression are possibly vulnerable to an authorization bypass...
ai.aitia:arrowhead-application-library-java-spring (>=4.4.0.2 <=4.6.0.0), ai.ylyue:yue-library-auth-client (=j11.2.6.0) +1749 more potentially affected by CVE-2022-22976 via org.springframework.security:spring-security-core (>=5.6.0 <=5.6.3)
org.springframework.security:spring-security-core MAVEN version =5.6.0, =4.4.0.2, =1.3.1.RELEASE, =0.2.0, =0.8.3, =2.1.0.M8, =1.0.0, =2.7.0.Beta3, =2.7.0.Beta4, =2.7.0.Beta3, =2.7.0.Beta3, =2.7.0.Beta3, =2.7.0.RC1 and more Source cves: CVE-2022-22976 Source advisory: OSV:GHSA-WX54-3278-M5G4...
africa.absa:inception-api (>=1.0.0 <=1.2.0), africa.absa:inception-codes-api (>=1.0.0 <=1.2.0) +4202 more potentially affected by CVE-2022-22976 via org.springframework.security:spring-security-core (>=5.2.0.RELEASE <=5.5.6)
org.springframework.security:spring-security-core MAVEN version =5.2.0.RELEASE, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =j8.2.4.0, =j8.2.4.0, =j11.2.4.0 and more Source cves: CVE-2022-22976 Source advisory: OSV:GHSA-WX54-3278-M5G4...
GHSA-WX54-3278-M5G4 Integer overflow in BCrypt class in Spring Security
Spring Security versions 5.5.x prior to 5.5.7, 5.6.x prior to 5.6.4, and earlier unsupported versions contain an integer overflow vulnerability. When using the BCrypt class with the maximum work factor 31, the encoder does not perform any salt rounds, due to an integer overflow error. The default...
Integer overflow in BCrypt class in Spring Security
Spring Security versions 5.5.x prior to 5.5.7, 5.6.x prior to 5.6.4, and earlier unsupported versions contain an integer overflow vulnerability. When using the BCrypt class with the maximum work factor 31, the encoder does not perform any salt rounds, due to an integer overflow error. The default...