Spring for GraphQL 1.0 Release

On behalf of the Spring for GraphQL team and every contributor, it is my pleasure to announce the 1.0 GA release. Its been 10 months since the project was announced and under 2 years since the first commit, unremarkably called "first commit". The project began with the modest goal to replace the...

CVE-2022-22978

In spring security versions prior to 5.4.11+, 5.5.7+ , 5.6.4+ and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with . in the regular expression are possibly vulnerable to an...

PT-2022-3458

Name of the Vulnerable Software and Affected Versions Spring Security versions prior to 5.4.11 Spring Security versions prior to 5.5.7 Spring Security versions prior to 5.6.4 Spring Security older unsupported versions Description The issue is related to the RegexRequestMatcher component in Spring...

CVE-2022-22978

CVE-2022-22978 involves a bypass in Spring Security’s RegexRequestMatcher where a dot (.) in the regex can bypass authorization on certain servlet containers. Affected are Spring Security versions prior to 5.4.11+, 5.5.7+, 5.6.4+ and older unsupported releases. Connected reports show remediation ...

CVE-2022-22978

A flaw was found in Spring Security. When using RegexRequestMatcher, an easy misconfiguration can bypass some servlet containers. Applications using RegexRequestMatcher with . in the regular expression are possibly vulnerable to an authorization bypass...

CVE-2022-22971

A flaw was found in Spring Framework Applications. Applications that use STOMP over the WebSocket endpoint are vulnerable to a denial of service attack caused by an authenticated user...

CVE-2022-22970

A flaw was found in Spring Framework. Applications that handle file uploads are vulnerable to a denial of service DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object...

This Week in Spring - May 17th, 2022

Hi, Spring fans! Welcome to another installment of This Week in Spring! I am in beautiful Barcelona, Spain, this week, ahead of the upcoming Spring I/O show. I just spent a wonderful week in amazing England, meeting old friends, speaking at Devoxx UK, etc. A Bootiful Podcast: EasyMock contributor...

Security Bulletin: IBM Planning Analytics Workspace is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965)

Summary IBM Planning Analytics Workspace is affected but not classified as vulnerable to a remote code execution in Spring Framework CVE-2022-22965 as it does not meet all of the following criteria: 1. JDK 9 or higher, 2. Apache Tomcat as the Servlet container, 3. Packaged as WAR in contrast to a...

CVE-2022-22976

A flaw was found in Spring Framework. The encoder does not perform any salt rounds when using the BCrypt class with the maximum work factor 31 due to an integer overflow error...

Sysrv-K Botnet Targets Windows, Linux

Unpatched vulnerabilities in the Spring Framework and WordPress plugins are being exploited by cybercriminals behind the Sysrv botnet to target Linux and Windows systems. The goal, according to researchers, is to infect systems with cryptomining malware. The botnet variant is being called Sysrv-K...

acegisecurity:acegi-security-resin (=0.9.0), ch.qos.logback:logback-access (>=${parent.version} <=0.3) +3 more potentially affected by CVE-2012-2966 via com.caucho:resin (=3.0.9)

com.caucho:resin MAVEN version =3.0.9 is affected by a known vulnerability. The following packages have a transitive dependency on com.caucho:resin and may be impacted: - acegisecurity:acegi-security-resin =0.9.0 - ch.qos.logback:logback-access =$parent.version, =2.3.0, =1.0.0, =2.0.0, =2.0.4...

acegisecurity:acegi-security-resin (=0.9.0), ch.qos.logback:logback-access (>=${parent.version} <=0.3) +3 more potentially affected by CVE-2012-2965 via com.caucho:resin (=3.0.9)

com.caucho:resin MAVEN version =3.0.9 is affected by a known vulnerability. The following packages have a transitive dependency on com.caucho:resin and may be impacted: - acegisecurity:acegi-security-resin =0.9.0 - ch.qos.logback:logback-access =$parent.version, =2.3.0, =1.0.0, =2.0.0, =2.0.4...

acegisecurity:acegi-security-resin (=0.9.0), ch.qos.logback:logback-access (>=${parent.version} <=0.3) +3 more potentially affected by CVE-2012-2967 via com.caucho:resin (=3.0.9)

com.caucho:resin MAVEN version =3.0.9 is affected by a known vulnerability. The following packages have a transitive dependency on com.caucho:resin and may be impacted: - acegisecurity:acegi-security-resin =0.9.0 - ch.qos.logback:logback-access =$parent.version, =2.3.0, =1.0.0, =2.0.0, =2.0.4...

Improper Control of Generation of Code in Spring Security

CRLF injection vulnerability in the logout functionality in VMware SpringSource Spring Security before 2.0.7 and 3.0.x before 3.0.6 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the spring-security-redirect parameter...

GHSA-5XM9-RF63-WJ7H Improper Control of Generation of Code in Spring Security

CRLF injection vulnerability in the logout functionality in VMware SpringSource Spring Security before 2.0.7 and 3.0.x before 3.0.6 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the spring-security-redirect parameter...

com.evasion:API (>=1.0.0.1 <=1.0.0.3), com.evasion:CLIENT (>=1.0.0.1 <=1.0.0.3) +104 more potentially affected by CVE-2011-2732 via org.springframework.security:spring-security-core (>=2.0.0 <=2.0.6.RELEASE)

org.springframework.security:spring-security-core MAVEN version =2.0.0, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =2.4.7, =2.4.8 and more Source cves: CVE-2011-2732 Source advisory:...

br.net.woodstock.rockframework:rockframework-domain (>=1.2.1 <=1.2.2), com.force.sdk:force-springsecurity (>=22.0.2-BETA <=22.0.9-BETA) +219 more potentially affected by CVE-2011-2732 via org.springframework.security:spring-security-core (>=3.0.0.RELEASE <=3.0.5.RELEASE)

org.springframework.security:spring-security-core MAVEN version =3.0.0.RELEASE, =1.2.1, =22.0.2-BETA, =1.0.0, =3.0.2, =1.2.0, =1.1, =0.1, =1.2-1, =2011.11.07.RELEASE, =2011.11.07.RELEASE, =2011.11.07.RELEASE, =3.49, =3.55 and more Source cves: CVE-2011-2732 Source advisory: OSV:GHSA-5XM9-RF63-WJ7...

br.net.woodstock.rockframework:rockframework-domain (>=1.2.1 <=3.0.1), br.net.woodstock.rockframework:rockframework-persistence (>=2.0.0 <=2.0.8) +270 more potentially affected by CVE-2012-5055 via org.springframework.security:spring-security-core (>=3.0.0.RELEASE <=3.0.7.RELEASE)

org.springframework.security:spring-security-core MAVEN version =3.0.0.RELEASE, =1.2.1, =2.0.0, =22.0.2-BETA, =1.0.0, =3.0.2, =3.0.0, =1.2.0, =1.1, =0.1, =1.2-1, =1.0, =1.0.2 - com.revolsys.open:com.revolsys.open.gis.web =2011.11.07.RELEASE and more Source cves: CVE-2012-5055 Source advisory:...

com.ctlok:spring-webmvc-rythm (>=1.3.6 <=1.4.2), com.github.dblock.waffle:waffle-spring-security3 (>=1.5 <=1.6) +171 more potentially affected by CVE-2012-5055 via org.springframework.security:spring-security-core (>=3.1.0.RELEASE <=3.1.2.RELEASE)

org.springframework.security:spring-security-core MAVEN version =3.1.0.RELEASE, =1.3.6, =1.5, =1.0.0, =3.0.4, =3.3, =1.1.3, =1.1.4, =1.1.3, =1.0.2, =1.0.3 - com.racquettrack:spring-security-oauth2-client =1.4 - com.sitewhere:sitewhere-core =0.9.7 and more Source cves: CVE-2012-5055 Source advisor...