Concurrent Execution using Shared Resource with Improper Synchronization in Spring Security

Race condition in the RunAsManager mechanism in VMware SpringSource Spring Security before 2.0.7 and 3.0.x before 3.0.6 stores the Authentication object in the shared security context, which allows attackers to gain privileges via a crafted thread...

br.net.woodstock.rockframework:rockframework-domain (>=1.2.1 <=1.2.2), com.force.sdk:force-springsecurity (>=22.0.2-BETA <=22.0.9-BETA) +219 more potentially affected by CVE-2011-2731 via org.springframework.security:spring-security-core (>=3.0.0.RELEASE <=3.0.5.RELEASE)

org.springframework.security:spring-security-core MAVEN version =3.0.0.RELEASE, =1.2.1, =22.0.2-BETA, =1.0.0, =3.0.2, =1.2.0, =1.1, =0.1, =1.2-1, =2011.11.07.RELEASE, =2011.11.07.RELEASE, =2011.11.07.RELEASE, =3.49, =3.55 and more Source cves: CVE-2011-2731 Source advisory: OSV:GHSA-4644-HG35-55M...

com.evasion:API (>=1.0.0.1 <=1.0.0.3), com.evasion:CLIENT (>=1.0.0.1 <=1.0.0.3) +104 more potentially affected by CVE-2011-2731 via org.springframework.security:spring-security-core (>=2.0.0 <=2.0.6.RELEASE)

org.springframework.security:spring-security-core MAVEN version =2.0.0, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =2.4.7, =2.4.8 and more Source cves: CVE-2011-2731 Source advisory:...

GHSA-4644-HG35-55M9 Concurrent Execution using Shared Resource with Improper Synchronization in Spring Security

Race condition in the RunAsManager mechanism in VMware SpringSource Spring Security before 2.0.7 and 3.0.x before 3.0.6 stores the Authentication object in the shared security context, which allows attackers to gain privileges via a crafted thread...

cloud.altemista.fwk.framework:cloud-altemistafwk-documentation (=3.1.0.RELEASE), cloud.altemista.fwk.message:cloud-altemistafwk-core-message-active-conf (>=3.0.0.RELEASE <=3.1.0.RELEASE) +706 more potentially affected by CVE-2012-6092 via org.apache.activemq:activemq-core (>=4.1.1 <=5.7.0)

org.apache.activemq:activemq-core MAVEN version =4.1.1, =3.0.0.RELEASE, =1.0, =1.0.0, =1.0.0, =0.4.2, =0.4.2, =0.4.2, =3.0.0.rc1, =3.0.0.rc1, =3.0.0.rc1, =3.0.0.rc1, =3.2.1 and more Source cves: CVE-2012-6092 Source advisory: OSV:GHSA-RP9P-863F-9C4H...

org.apache.axis2:axis2-integration (=1.4), org.apache.camel:camel-example-cxf (>=1.2.0 <=1.3.0) +3 more potentially affected by CVE-2012-6551 via org.apache.activemq:apache-activemq (>=4.1.1 <=5.0.0)

org.apache.activemq:apache-activemq MAVEN version =4.1.1, =1.2.0, =1.1.0, =1.3.0 - org.apache.camel:camel-example-spring =1.2.0 - org.apache.camel:camel-example-spring-xquery =1.3.0 Source cves: CVE-2012-6551 Source advisory: OSV:GHSA-34FP-XVXP-RG22...

GHSA-VPR3-F594-MG5G Improper Control of Generation of Code ('Code Injection') in Spring Framework

SpringSource Spring Framework 2.5.x before 2.5.6.SEC02, 2.5.7 before 2.5.7.SR01, and 3.0.x before 3.0.3 allows remote attackers to execute arbitrary code via an HTTP request containing class.classLoader.URLs0=jar: followed by a URL of a crafted .jar file...

br.com.caelum.vraptor:vraptor-environment (=1.0.1), br.com.caelum.vraptor:vraptor-freemarker (>=1.0.1 <=1.1.0) +411 more potentially affected by CVE-2010-1622 via org.springframework:spring (>=2.5.1 <=2.5.6.SEC03)

org.springframework:spring MAVEN version =2.5.1, =1.0.1, =1.0.1, =3.1.1, =1.1, =1.1, =1.2, =1.2.1 and more Source cves: CVE-2010-1622 Source advisory: OSV:GHSA-VPR3-F594-MG5G...

Watch Out! Hackers Begin Exploiting Recent Zyxel Firewalls RCE Vulnerability

--- Image source: z3r00t The U.S. Cybersecurity and Infrastructure Security Agency on Monday added two security flaws, including the recently disclosed remote code execution bug affecting Zyxel firewalls, to its Known Exploited Vulnerabilities Catalog, citing evidence of active exploitation...

au.com.mountain-pass:hyperstate-client (>=1 <=10), au.com.mountain-pass:hyperstate-client-webdriver (>=1 <=10) +112 more potentially affected by CVE-2016-6652 via org.springframework.data:spring-data-jpa (>=1.10.0.RELEASE <=1.10.3.RELEASE)

org.springframework.data:spring-data-jpa MAVEN version =1.10.0.RELEASE, =1, =1, =1, =1, =1, =1.0.0, =1.6, =0.85, =0.85, =0.89.6 and more Source cves: CVE-2016-6652 Source advisory: OSV:GHSA-XR4V-28RM-PVGW...

Improper Neutralization of Special Elements used in an SQL Command Pivotal Spring Data JPA

SQL injection vulnerability in Pivotal Spring Data JPA before 1.9.6 Gosling SR6 and 1.10.x before 1.10.4 Hopper SR4, when used with a repository that defines a String query using the @Query annotation, allows attackers to execute arbitrary JPQL commands via a sort instance with a function call...

GHSA-XR4V-28RM-PVGW Improper Neutralization of Special Elements used in an SQL Command Pivotal Spring Data JPA

SQL injection vulnerability in Pivotal Spring Data JPA before 1.9.6 Gosling SR6 and 1.10.x before 1.10.4 Hopper SR4, when used with a repository that defines a String query using the @Query annotation, allows attackers to execute arbitrary JPQL commands via a sort instance with a function call...

am.ik.home:uaa-server (>=1.0.0 <=1.9.0), at.researchstudio.sat:won-core (>=0.2 <=0.9) +1138 more potentially affected by CVE-2016-6652 via org.springframework.data:spring-data-jpa (>=1.0.1.RELEASE <=1.9.5.RELEASE)

org.springframework.data:spring-data-jpa MAVEN version =1.0.1.RELEASE, =1.0.0, =0.2, =0.3, =0.2, =0.2, =0.3, =0.3, =0.3, =0.3, =0.3, =0.2, =0.3, =0.3, =0.6 - at.researchstudio.sat:won-owner =0.3 - at.researchstudio.sat:won-owner-webapp =0.3 and more Source cves: CVE-2016-6652 Source advisory:...

GHSA-WV88-PF73-X22P Improper Neutralization of Directives in Dynamically Evaluated Code in Spring Framework

VMware SpringSource Spring Framework before 2.5.6.SEC03, 2.5.7.SR023, and 3.x before 3.0.6, when a container supports Expression Language EL, evaluates EL expressions in tags twice, which allows remote attackers to obtain sensitive information via a 1 name attribute in a a spring:hasBindErrors ta...

at.molindo:molindo-notify (>=1.0.0-alpha-1 <=1.0.0-alpha-2), be.eliwan:ew-profiling-api (>=1.0 <=1.4) +1704 more potentially affected by CVE-2011-2730 via org.springframework:spring-core (>=3.0.0.RELEASE <=3.0.5.RELEASE)

org.springframework:spring-core MAVEN version =3.0.0.RELEASE, =1.0.0-alpha-1, =1.0, =1.0, =0.7, =2.0, =1.1.1, =1.0.2, =1.1.2, =1.2, =1.0.0, =1.0.0, =1.1.0, =3.3.0, =3.4.1 and more Source cves: CVE-2011-2730 Source advisory: OSV:GHSA-WV88-PF73-X22P...

Improper Neutralization of Directives in Dynamically Evaluated Code in Spring Framework

VMware SpringSource Spring Framework before 2.5.6.SEC03, 2.5.7.SR023, and 3.x before 3.0.6, when a container supports Expression Language EL, evaluates EL expressions in tags twice, which allows remote attackers to obtain sensitive information via a 1 name attribute in a a spring:hasBindErrors ta...

ColumnPack:ColumnPack-plugin (=1.0.3), CustomHistory:CustomHistory (>=1.1 <=1.3) +3276 more potentially affected by CVE-2011-2730 via org.springframework:spring-core (>=1.2 <=2.5.6.SEC02)

org.springframework:spring-core MAVEN version =1.2, =1.1, =1.3, =0.3, =1.2.1, =1.2.1, =1.0, =0.0.1-alpha1, =0.0.1-alpha5 - ch.ethz.origo:origo-issue-notifier =1.0 - ch.nerdin:testdata-framework =0.10 - ch.semafor:gendas =1.0.1 - cn.fastoo:fastoo-java-api =20171130 - com.54chen:paoding-rose =1.0 -...

GHSA-49MJ-77Q5-QW5G Spring Batch Admin vulnerable to Stored Cross-site scripting (XSS) in the file upload functionality

Stored Cross-site scripting XSS vulnerability in Spring Batch Admin before 1.3.0 allows remote authenticated users to inject arbitrary JavaScript or HTML via the file upload functionality...

Spring Batch Admin vulnerable to Stored Cross-site scripting (XSS) in the file upload functionality

Stored Cross-site scripting XSS vulnerability in Spring Batch Admin before 1.3.0 allows remote authenticated users to inject arbitrary JavaScript or HTML via the file upload functionality...

Spring Batch Admin vulnerable to Cross-site request forgery (CSRF) in the file upload functionality

Cross-site request forgery CSRF vulnerability in the Spring Batch Admin before 1.3.0 allows remote attackers to hijack the authentication of unspecified victims and submit arbitrary requests, such as exploiting the file upload vulnerability...