com.alibaba.otter:canal.deployer (>=1.1.7 <=1.1.8), com.alibaba.otter:canal.instance.core (>=1.1.7 <=1.1.8) +90 more potentially affected by CVE-2021-37137 via org.jboss.netty:netty (>=3.1.0.BETA1 <=3.2.10.Final)

org.jboss.netty:netty MAVEN version =3.1.0.BETA1, =1.1.7, =1.1.7, =1.1.7, =1.1.7, =1.1.7, =1.1.7, =1.1.7, =1.1.7, =1.1.7, =5.0.2, =5.0.2, =5.0.2, =5.0.2, =5.0.2, =5.6.4 and more Source cves: CVE-2021-37137 Source advisory: OSV:GHSA-9VJP-V76F-G363...

Important: Red Hat Security Advisory: Red Hat support for Spring Boot 2.3.10 security update

An update is now available for Red Hat support for Spring Boot. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability. For more...

cn.fossc.polaris.framework:basic-framework-spring-boot-starter (>=3.0.9 <=3.0.33), cn.fossc.polaris.framework:polaris-framework-boot (>=3.0.1 <=3.0.33) +38 more potentially affected by CVE-2021-36162 via org.apache.dubbo:dubbo (>=3.0.0 <=3.0.15)

org.apache.dubbo:dubbo MAVEN version =3.0.0, =3.0.9, =3.0.1, =3.0.1, =3.0.1, =1.2.1, =1.2.2 - com.chinagoods.framework.thinkcloud:think-cloud-starter-business =3.1.7.RELEASE - com.chinagoods.framework.thinkcloud:think-cloud-starter-controller =3.1.7.RELEASE -...

Security Bulletin: A Privilege Escalation vulnerability in Pivotal Spring Framework affects IBM LKS Administration & Reporting Tool and its Agent

Summary A Privilege Escalation related vulnerability has been found in Pivotal Spring Framework used by IBM LKS Administration & Reporting Tool ART and its Agent. A fix has been published. Vulnerability Details CVEID: CVE-2021-22118 DESCRIPTION: VMware Tanzu Spring Framework could allow a local...

CVE-2020-19704

A stored cross-site scripting XSS vulnerability via ResourceController.java in spring-boot-admin as of 20190710 allows attackers to execute arbitrary web scripts or HTML...

CVE-2020-19704

A stored cross-site scripting XSS vulnerability via ResourceController.java in spring-boot-admin as of 20190710 allows attackers to execute arbitrary web scripts or HTML...

CVE-2020-19704

The CVE-2020-19704 entry describes a stored cross-site scripting (XSS) vulnerability in spring-boot-admin, via ResourceController.java, with exploitation possible to run arbitrary web scripts/HTML. Documents confirm affected software is spring-boot-admin and the vulnerable component/file is Resou...

spring-boot-admin 跨站脚本漏洞

spring-boot-admin is an open source backend management system based on Spring boot Mybatis , with user management , menu management and role management 3 functions , permission control to the button level . spring-boot-admin There is a security vulnerability that can be exploited by attackers to...

Code injection issue for java-spring-cloud-stream-template

The following was initially reported by @jonaslagoni: Given the following command: ag ./dummy.json @asyncapi/java-spring-cloud-stream-template --force-write --output ./output With the following AsyncAPI document: json "asyncapi": "2.0.0", "info": "title": "Streetlight", "version": "1.0.0" ,...

GHSA-XJ6R-2JPM-QVXP Code injection issue for java-spring-cloud-stream-template

The following was initially reported by @jonaslagoni: Given the following command: ag ./dummy.json @asyncapi/java-spring-cloud-stream-template --force-write --output ./output With the following AsyncAPI document: json "asyncapi": "2.0.0", "info": "title": "Streetlight", "version": "1.0.0" ,...

Improper Control of Generation of Code ('Code Injection')

@asyncapi/java-spring-cloud-stream-template generates a Spring Cloud Stream SCSt microservice. arbitrary code injection was possible when an attacker controls the AsyncAPI document. An example is provided in GHSA-xj6r-2jpm-qvxp. There are no mitigations available and all users are advised to upda...

spring-web: (re)creating the temporary storage directory could result in a privilege escalation within WebFlux application

In Spring Framework, versions 5.2.x prior to 5.2.15 and versions 5.3.x prior to 5.3.7, a WebFlux application is vulnerable to a privilege escalation: by recreating the temporary storage directory, a locally authenticated malicious user can read or modify files that have been uploaded to the WebFl...

cc.ecore:spring-jfinal (=0.0.1), cc.ecore:spring-jfinal-plugin (>=0.1.0 <=0.1.2) +140 more potentially affected by CVE-2021-33348 via com.jfinal:jfinal (>=1.4 <=4.9.10)

com.jfinal:jfinal MAVEN version =1.4, =0.1.0, =0.1.1, =1.0, =0.0.8, =0.0.8, =0.0.8, =0.1, =1.2.2 - cn.dreampie:jfinal-flyway =0.1 - cn.dreampie:jfinal-lesscss =0.1 and more Source cves: CVE-2021-33348 Source advisory: OSV:GHSA-2C25-XFPQ-8W9R...

spring-cloud-config-server: sending a request using a specially crafted URL can lead to a directory traversal attack

A flaw was found in spring-cloud-config in versions prior to 2.1.9 and 2.2.3. Applications are allowed to serve arbitrary configuration files through the spring-cloud-config-server module allowing an attacker to send a request using a specially crafted URL to create a directory traversal attack...

shiro: specially crafted HTTP request may cause an authentication bypass

A flaw was found in Apache shiro. When using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass. This highest threat from this vulnerability is to data confidentiality and integrity as well as system availability...

Moderate: Red Hat Security Advisory: Red Hat Fuse 7.9.0 release and security update

A minor version update from 7.8 to 7.9 is now available for Red Hat Fuse. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring...

springframework: RFD protection bypass via jsessionid

In Spring Framework, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter...

CVE-2021-37694

@asyncapi/java-spring-cloud-stream-template generates a Spring Cloud Stream SCSt microservice. In versions prior to 0.7.0 arbitrary code injection was possible when an attacker controls the AsyncAPI document. An example is provided in GHSA-xj6r-2jpm-qvxp. There are no mitigations available and al...

CVE-2021-37694

@asyncapi/java-spring-cloud-stream-template generates a Spring Cloud Stream SCSt microservice. In versions prior to 0.7.0 arbitrary code injection was possible when an attacker controls the AsyncAPI document. An example is provided in GHSA-xj6r-2jpm-qvxp. There are no mitigations available and al...

Code injection

@asyncapi/java-spring-cloud-stream-template generates a Spring Cloud Stream SCSt microservice. In versions prior to 0.7.0 arbitrary code injection was possible when an attacker controls the AsyncAPI document. An example is provided in GHSA-xj6r-2jpm-qvxp. There are no mitigations available and al...