CVE-2021-37694 Code injection issue for java-spring-cloud-stream-template

@asyncapi/java-spring-cloud-stream-template generates a Spring Cloud Stream SCSt microservice. In versions prior to 0.7.0 arbitrary code injection was possible when an attacker controls the AsyncAPI document. An example is provided in GHSA-xj6r-2jpm-qvxp. There are no mitigations available and al...

CVE-2021-37694

Summary (CVE-2021-37694): The issue affects the @asyncapi/java-spring-cloud-stream-template that generates a Spring Cloud Stream microservice. In versions before 0.7.0, an attacker who controls the AsyncAPI document could trigger arbitrary code injection during generation. The root cause is tied ...

Java Spring Cloud Stream template 代码注入漏洞

The Java Spring Cloud Stream template is a template for the AsyncAPI generator. A code injection vulnerability exists in Java Spring Cloud Stream template prior to version 0.7.0 for generating SpringCloudStream SCSt microservices, which can be exploited by an attacker to take control of an AsyncA...

Microsoft Dynamics 跨站脚本漏洞

Microsoft Dynamics is a suite of ERP business solutions for multinational organizations from Microsoft USA. The product includes financial management, production management and business intelligence management. A cross-site scripting vulnerability exists in Microsoft Microsoft Dynamics. The...

GitHub Security Lab: [Java] CWE-601: Add Spring URL Redirect ResponseEntity sink

This bug was reported directly to GitHub Security Lab...

SpringBootVulExploit

This repository is an offensive tool for exploiting Spring Boot vulnerabilities. It contains a collection of exploits and techniques for various Spring Boot versions, including: 1. Spring Boot 1.0 - 1.4: Exposes actuators by default without any parameters, making it vulnerable to RCE Remote Code...

in alovoa/alovoa

✍️ Description Affected versions of this package are vulnerable to XML External Entity XXE Injection via the SAML2AssertionValidator method. Access to external entities was not disabled in XML parsing. 🕵️‍♂️ Proof of Concept org.springframework.security spring-security-oauth2-client...

TeaCMS suffers from SQL injection vulnerability (CNVD-2021-51349)

TeaCMS is a blog system developed by Spring-SpringMVC-MyBatis-MySQL database . TeaCMS suffers from a SQL injection vulnerability, which can be exploited by attackers to obtain sensitive database information...

br.com.damsete.arq:damsete-arq (>=0.0.9 <=0.0.12), br.com.damsete.arq:damsete-arq-audit (>=0.0.9 <=0.0.12) +481 more potentially affected by CVE-2021-22119 via org.springframework.security:spring-security-core (>=5.2.0.RELEASE <=5.2.10.RELEASE)

org.springframework.security:spring-security-core MAVEN version =5.2.0.RELEASE, =0.0.9, =0.0.9, =0.0.9, =0.0.9, =0.0.9, =0.0.9, =0.0.9, =0.0.9, =2.0.2, =2.0.2, =2.0.2, =2.0.2, =2.0.2, =2.0.3 - com.c4-soft.springaddons:spring-security-oauth2-addons =1.0.0 -...

cc.vihackerframework:vihacker-auth-starter (>=1.0.4.R <=1.0.6.R), cc.vihackerframework:vihacker-common-starter (>=1.0.4.R <=1.0.6.R) +605 more potentially affected by CVE-2021-22119 via org.springframework.security:spring-security-core (=5.5.0)

org.springframework.security:spring-security-core MAVEN version =5.5.0 is affected by a known vulnerability. The following packages have a transitive dependency on org.springframework.security:spring-security-core and may be impacted: - cc.vihackerframework:vihacker-auth-starter =1.0.4.R, =1.0.4....

com.azure.spring:azure-spring-boot-starter-active-directory-b2c (>=3.3.0 <=3.5.0), com.backbase.oss:scdf-maven-plugin (=0.2.0) +114 more potentially affected by CVE-2021-22119 via org.springframework.security:spring-security-oauth2-client (>=5.4.0 <=5.4.6)

org.springframework.security:spring-security-oauth2-client MAVEN version =5.4.0, =3.3.0, =2.4.1, =1.12, =1.18.1, =1.12, =1.12, =1.12, =1.12.1, =0.1.0-beta.6, =1.5.0, =1.5.0, =1.5.0, =1.5.0, =1.5...

com.c4-soft.springaddons:spring-security-test-oauth2-addons (=1.0.0), com.epam.reportportal:service-authorization (=5.0.0) +18 more potentially affected by CVE-2021-22119 via org.springframework.security:spring-security-oauth2-client (=5.2.0.RELEASE)

org.springframework.security:spring-security-oauth2-client MAVEN version =5.2.0.RELEASE is affected by a known vulnerability. The following packages have a transitive dependency on org.springframework.security:spring-security-oauth2-client and may be impacted: -...

com.azure.spring:azure-spring-boot-starter-active-directory-b2c (=3.6.0), com.okta.idx.sdk:okta-idx-java-embedded-sign-in-widget (>=0.1.0-beta.8 <=1.0.0) +18 more potentially affected by CVE-2021-22119 via org.springframework.security:spring-security-oauth2-client (=5.5.0)

org.springframework.security:spring-security-oauth2-client MAVEN version =5.5.0 is affected by a known vulnerability. The following packages have a transitive dependency on org.springframework.security:spring-security-oauth2-client and may be impacted: -...

GHSA-W9JG-GVGR-354M Resource Exhaustion in Spring Security

Spring Security versions 5.5.x prior to 5.5.1, 5.4.x prior to 5.4.7, 5.3.x prior to 5.3.10 and 5.2.x prior to 5.2.11 are susceptible to a Denial-of-Service DoS attack via the initiation of the Authorization Request in an OAuth 2.0 Client Web and WebFlux application. A malicious user or attacker c...

ai.ylyue:yue-library-auth-client (>=j8.2.4.0 <=j11.2.4.0), ai.ylyue:yue-library-auth-service (>=j8.2.4.0 <=j11.2.4.0) +1434 more potentially affected by CVE-2021-22119 via org.springframework.security:spring-security-core (>=5.4.0 <=5.4.6)

org.springframework.security:spring-security-core MAVEN version =5.4.0, =j8.2.4.0, =j8.2.4.0, =0.1.0-alpha, =0.1.0-alpha, =2.0.3, =2.0.3, =2.0.3, =1.0.0, =0.0.1, =8.1.0.371, =8.1.0.304, =8.1.0.578.141 and more Source cves: CVE-2021-22119 Source advisory: OSV:GHSA-W9JG-GVGR-354M...

Resource Exhaustion in Spring Security

Spring Security versions 5.5.x prior to 5.5.1, 5.4.x prior to 5.4.7, 5.3.x prior to 5.3.10 and 5.2.x prior to 5.2.11 are susceptible to a Denial-of-Service DoS attack via the initiation of the Authorization Request in an OAuth 2.0 Client Web and WebFlux application. A malicious user or attacker c...

com.buession.cas:buession-cas-core (>=1.1.1 <=1.1.2), com.buession.cas:buession-cas-metrics (>=1.1.1 <=1.1.2) +65 more potentially affected by CVE-2021-22119 via org.springframework.security:spring-security-core (=5.3.0.RELEASE)

org.springframework.security:spring-security-core MAVEN version =5.3.0.RELEASE is affected by a known vulnerability. The following packages have a transitive dependency on org.springframework.security:spring-security-core and may be impacted: - com.buession.cas:buession-cas-core =1.1.1, =1.1.1,...

Exploit for Improper Authentication in Apache Shiro

Apache Shiro 两种姿势绕过认证分析（CVE-2020-17523） 0x01 漏洞描述 Apache Shiro是一个强大且易用的Java安全框架，执行身份验证、授权、密码和会话管理。使用Shiro的易于理解的API，您可以快速、轻松地获得任何应用程序，从最小的移动应用程序到最大的网络和企业应用程序。 当它和 Spring 结合使用时，在一定权限匹配规则下，攻击者可通过构造特殊的 HTTP 请求包完成身份认证绕过。 影响范围：Apache Shiro / | | 双反斜杠处理成反斜杠 | // - / | | 以/.或者/..结尾，则在结尾添加/ | /. - /./ /.....

CVE-2021-22119

Spring Security versions 5.5.x prior to 5.5.1, 5.4.x prior to 5.4.7, 5.3.x prior to 5.3.10 and 5.2.x prior to 5.2.11 are susceptible to a Denial-of-Service DoS attack via the initiation of the Authorization Request in an OAuth 2.0 Client Web and WebFlux application. A malicious user or attacker c...

CVE-2021-22119

Spring Security versions 5.5.x prior to 5.5.1, 5.4.x prior to 5.4.7, 5.3.x prior to 5.3.10 and 5.2.x prior to 5.2.11 are susceptible to a Denial-of-Service DoS attack via the initiation of the Authorization Request in an OAuth 2.0 Client Web and WebFlux application. A malicious user or attacker c...