Spring Framework 代码注入漏洞

Spring Framework is the U.S. Spring team of a set of open source Java, JavaEE application framework. The framework helps developers build high-quality applications. A code injection vulnerability exists in Spring Framework that stems from the RCE for data binding on JDK 9+.The following products...

springframework: malicious input leads to insertion of additional log entries

In Spring Framework versions 5.3.0 - 5.3.10, 5.2.0 - 5.2.17, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries...

springframework: malicious input leads to insertion of additional log entries

In Spring Framework versions 5.3.0 - 5.3.10, 5.2.0 - 5.2.17, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries...

This Week in Spring - March 29th, 2022

Aloha, Spring fans, from beautiful Maui, Hawaii, where I am with my family on a bit of vacation. Its our daughters Spring break and so were enjoying the family time while we can get it! I wanted to take a brief interlude in between the never-enough time on the beach and all the rum to get this...

Spring Framework 代码注入漏洞

Spring Framework is the U.S. Spring team of a set of open source Java, JavaEE application framework. The framework helps developers build high-quality applications. A code injection vulnerability exists in Spring Framework. No information about the vulnerability is available at this time, please...

PT-2022-2029

Name of the Vulnerable Software and Affected Versions Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions Description The issue is related to a remote code execution vulnerability in Spring Cloud Function when using routing functionality. It is possible for a user to provid...

CVE-2022-22950

A flaw was found in the Spring Framework. This flaw allows an attacker to craft a special Spring Expression, causing a denial of service...

An update on Java 17+ adoption

As a follow-up to my blog post from last years SpringOne, it is time for an update on our Java 17+ baseline efforts! We established the new baseline on our main branches, with a few milestones out already. The feedback has been very positive, not only in terms of framework improvements but also i...

CVE report published for Spring Framework

We have released Spring Framework 5.3.17 and Spring Framework 5.2.20 to address the following CVE report. CVE-2022-22950: Spring Expression DoS Vulnerability Please review the information in the CVE report and upgrade immediately. Spring Boot users should upgrade to 2.5.11 or 2.6.5...

The vulnerability of the Gateway Actuator component in the Spring Cloud Gateway API gateway library allows a attacker to execute arbitrary code.

The vulnerability of the Gateway Actuator component in the Spring Cloud Gateway API gateway library is related to incorrect code generation management. Exploiting this vulnerability allows a malicious actor to execute arbitrary code by sending a specially crafted request...

Vmware Spring Framework 安全漏洞

Vmware Spring Framework is a set of open source Java, JavaEE application framework from Vmware USA. The framework helps developers build high-quality applications.Vmware Spring Framework has a denial-of-service vulnerability that can be exploited by attackers to cause a denial of service via a...

Exploit for Code Injection in Vmware Spring_Cloud_Gateway

CVE-2022-22947 poc for CVE-2022-22947...

VMware Tanzu Spring Cloud Config Directory Traversal Vulnerability

Spring, by VMware Tanzu, Cloud Config contains a path traversal vulnerability that allows applications to serve arbitrary configuration files...

SPEL Expression Injection Vulnerability in Spring Cloud Function

Spring Cloud Function is a functional computing framework based on Spring Boot.Spring Cloud Function is vulnerable to SPEL expression injection, which can be exploited by attackers to perform injection attacks remotely via SPEL expression injection...

VMware Tanzu Spring Data Commons Property Binder Vulnerability

Spring Data Commons contains a property binder vulnerability which can allow an attacker to perform remote code execution...

Exploit for Expression Language Injection in Vmware Spring_Cloud_Gateway

漏洞简介 Spring Cloud Gateway 是 Spring Cloud 的一个全新项目，该项目是基于 Spring 5.0，Spring Boot 2.0 和 Project Reactor 等技术开发的网关，它旨在为微服务架构提供一种简单有效的统一的API路由管理方式。 前段时间springCloud Gateway被爆致命RCE CVE ,cve信息显示当应用程序启用和暴露Spring Cloud Gateway的Gateway Actuator endpoint时，会受到远程代码注入攻击，攻击者发送恶意请求从而可远程执行任意代码。目前受影响的版本如下： 3.1.0 3.0...

Spring Boot Actuator Logview < 0.2.13 Directory Traversal

Spring Boot Actuator Logview is a library that adds a simple logfile viewer as Spring Boot Actuator endpoint. In Spring Boot Actuator Logview before version 0.2.13 there is a directory traversal vulnerability. The nature of this library is to expose a log file directory via admin Spring Boot...

Spring Boot Actuator Detected

This is an informational notice that the scanner was able to detect an accessible Spring Actuator. Actuator endpoints let you monitor and interact with your application. Spring Boot includes a number of built-in endpoints and lets you add your own. For example, the 'health' endpoint provides basi...

Spring Boot Actuator Sensitive Endpoints Detected

Spring Boot Actuator endpoints let you monitor and interact with your application. Spring Boot includes a number of built-in endpoints and lets you add your own. For example, the 'health' endpoint provides basic application health information. But some of these endpoints are considered sensitive...

Spring Boot Actuator HikariCP Remote Code Execution

The Spring Boot framework is one of the most popular Java-based microservice frameworks that helps developers quickly and easily deploy Java applications. When the endpoint actuator is accessible with the env and restart methods, it is possible for an unauthenticated remote attacker to obtain a...