GHSA-274R-P6V6-FHH4 Spring Batch Admin vulnerable to Cross-site request forgery (CSRF) in the file upload functionality

Cross-site request forgery CSRF vulnerability in the Spring Batch Admin before 1.3.0 allows remote attackers to hijack the authentication of unspecified victims and submit arbitrary requests, such as exploiting the file upload vulnerability...

cc.voox:publisher (=0.1.2.GA), com.ahome-it:ahome-tooling-server-core (=1.1.0-RELEASE) +215 more potentially affected by CVE-2017-8045 via org.springframework.amqp:spring-amqp (>=1.0.0.RELEASE <=1.5.6.RELEASE)

org.springframework.amqp:spring-amqp MAVEN version =1.0.0.RELEASE, =1.0, =1.0, =0.9.0, =0.20.0, =1.31.1, =1.27.1, =1.31.0, =1.31.1, =1.31.1, =1.34.1 and more Source cves: CVE-2017-8045 Source advisory: OSV:GHSA-VQQG-XGV7-CF68...

br.jus.stf.digital:core (>=0.2.0 <=2.3.1), cn.springcloud.gray:spring-cloud-gray-plugin-event-stream (>=A.1.1.0 <=A.2.0.0.RC1) +112 more potentially affected by CVE-2017-8045 via org.springframework.amqp:spring-amqp (>=1.7.0.RELEASE <=1.7.3.RELEASE)

org.springframework.amqp:spring-amqp MAVEN version =1.7.0.RELEASE, =0.2.0, =A.1.1.0, =A.1.1.0, =1.1.0, =1.1.0, =v1.0.0, =0.8, =0.8, =0.9 - com.societegenerale:rabbitmq-advanced-core =1.0.1.RELEASE - com.societegenerale:rabbitmq-advanced-parent =1.0.1.RELEASE -...

GHSA-VQQG-XGV7-CF68 Deserialization of Untrusted Data in Spring AMQP

In Pivotal Spring AMQP versions prior to 1.7.4, 1.6.11, and 1.5.7, an org.springframework.amqp.core.Message may be unsafely deserialized when being converted into a string. A malicious payload could be crafted to exploit this and enable a remote code execution attack...

com.ahome-it:ahome-tooling-server-core (>=1.1.1-RELEASE <=1.1.3-RELEASE), com.ahome-it:ahome-tooling-server-hazelcast (>=1.1.1-RELEASE <=1.1.3-RELEASE) +8 more potentially affected by CVE-2017-8045 via org.springframework.amqp:spring-amqp (>=1.6.0.RELEASE <=1.6.10.RELEASE)

org.springframework.amqp:spring-amqp MAVEN version =1.6.0.RELEASE, =1.1.1-RELEASE, =1.1.1-RELEASE, =1.1.1-RELEASE, =1.1.1-RELEASE, =1.1.1-RELEASE, =5.2.0-RC1, =1.6.0.RELEASE, =1.6.0.RELEASE, =4.3.0.RELEASE, =4.3.11.RELEASE Source cves: CVE-2017-8045 Source advisory: OSV:GHSA-VQQG-XGV7-CF68...

Deserialization of Untrusted Data in Spring AMQP

In Pivotal Spring AMQP versions prior to 1.7.4, 1.6.11, and 1.5.7, an org.springframework.amqp.core.Message may be unsafely deserialized when being converted into a string. A malicious payload could be crafted to exploit this and enable a remote code execution attack...

Spring Framework 输入验证错误漏洞

Spring Framework is the U.S. Spring team of a set of open source Java, JavaEE application framework. The framework helps developers build high-quality applications. An input validation error vulnerability exists in Spring Framework that stems from an integer overflow error...

VMware Spring Security 授权问题漏洞

VMware Spring Security is a security framework from VMware that provides illustrative security protections for Spring-based applications. An authorization issue vulnerability exists in VMware Spring Security that stems from the use of RegexRequestMatcher and the wildcard . character of a regular...

openSUSE: Security Advisory for tomcat (SUSE-SU-2022:1304-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Exploit for Code Injection in Vmware Spring_Cloud_Gateway

CVE-2022-22947 Spring Cloud Gateway Actuator API SpEL expres...

CVE-2022-22976: BCrypt skips salt rounds for work factor of 31

Spring Security 5.7.0, 5.6.4, 5.5.7 were released to fix CVE-2022-22976: BCrypt skips salt rounds for work factor of 31. Please update as soon as possible...

CVE-2022-22978: Authorization Bypass in RegexRequestMatcher

UPDATES 05-17 Due to a mixup CVE-2022-22975 should have been CVE-2022-22978. The blog has been updated to reflect this correction. CVE-2022-22978 : Authorization Bypass in RegexRequestMatcher Spring Security 5.7.0, 5.6.4, 5.5.7 were released to fix CVE-2022-22978 : Authorization Bypass in...

VMware Spring Cloud Gateway Code Injection Vulnerability

Spring Cloud Gateway applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured...

GHSA-F866-M9MV-2XR3 Spring Framework and Spring Security vulnerable to Deserialization of Untrusted Data

Spring Framework 3.0.0 through 3.0.5, Spring Security 3.0.0 through 3.0.5 and 2.0.0 through 2.0.6, and possibly other versions deserialize objects from untrusted sources, which allows remote attackers to bypass intended security restrictions and execute untrusted code by 1 serializing a...

com.evasion:API (>=1.0.0.1 <=1.0.0.3), com.evasion:CLIENT (>=1.0.0.1 <=1.0.0.3) +104 more potentially affected by CVE-2011-2894 via org.springframework.security:spring-security-core (>=2.0.0 <=2.0.6.RELEASE)

org.springframework.security:spring-security-core MAVEN version =2.0.0, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =2.4.7, =2.4.8 and more Source cves: CVE-2011-2894 Source advisory:...

at.molindo:molindo-notify (>=1.0.0-alpha-1 <=1.0.0-alpha-2), be.eliwan:ew-profiling-api (>=1.0 <=1.4) +1704 more potentially affected by CVE-2011-2894 via org.springframework:spring-core (>=3.0.0.RELEASE <=3.0.5.RELEASE)

org.springframework:spring-core MAVEN version =3.0.0.RELEASE, =1.0.0-alpha-1, =1.0, =1.0, =0.7, =2.0, =1.1.1, =1.0.2, =1.1.2, =1.2, =1.0.0, =1.0.0, =1.1.0, =3.3.0, =3.4.1 and more Source cves: CVE-2011-2894 Source advisory: OSV:GHSA-F866-M9MV-2XR3...

br.net.woodstock.rockframework:rockframework-domain (>=1.2.1 <=1.2.2), com.force.sdk:force-springsecurity (>=22.0.2-BETA <=22.0.9-BETA) +219 more potentially affected by CVE-2011-2894 via org.springframework.security:spring-security-core (>=3.0.0.RELEASE <=3.0.5.RELEASE)

org.springframework.security:spring-security-core MAVEN version =3.0.0.RELEASE, =1.2.1, =22.0.2-BETA, =1.0.0, =3.0.2, =1.2.0, =1.1, =0.1, =1.2-1, =2011.11.07.RELEASE, =2011.11.07.RELEASE, =2011.11.07.RELEASE, =3.49, =3.55 and more Source cves: CVE-2011-2894 Source advisory: OSV:GHSA-F866-M9MV-2XR...

Spring Framework and Spring Security vulnerable to Deserialization of Untrusted Data

Spring Framework 3.0.0 through 3.0.5, Spring Security 3.0.0 through 3.0.5 and 2.0.0 through 2.0.6, and possibly other versions deserialize objects from untrusted sources, which allows remote attackers to bypass intended security restrictions and execute untrusted code by 1 serializing a...

be.fluid-it.guice.extensions:guice-multi-shiro-realms (=0.1-1), be.fluid-it.shiro.jee:shiro-jee-authc (>=0.1-1 <=0.1-3) +1469 more potentially affected by CVE-2016-4437 via org.apache.shiro:shiro-core (>=1.0.0-incubating <=1.2.4)

org.apache.shiro:shiro-core MAVEN version =1.0.0-incubating, =0.1-1, =4.0.0-RC2, =1.0.0, =2.0.0, =0.0.2, =0.1, =0.1, =0.1, =2.1.0-RELEASE, =1.0, =1.0.3 - cn.org.awcp:awcp-formdesigner-application =1.0-RELEASE - cn.org.awcp:awcp-formdesigner-applicationImpl =1.0-RELEASE -...

com.evasion:API (>=1.0.0.1 <=1.0.0.3), com.evasion:CLIENT (>=1.0.0.1 <=1.0.0.3) +103 more potentially affected by CVE-2010-3700 via org.springframework.security:spring-security-core (>=2.0.0 <=2.0.5.RELEASE)

org.springframework.security:spring-security-core MAVEN version =2.0.0, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =2.4.7, =2.4.8 and more Source cves: CVE-2010-3700 Source advisory:...