6525 matches found
CVE-2019-3773
Spring Web Services, versions 2.4.3, 3.0.4, and older unsupported versions of all three projects, were susceptible to XML External Entity Injection XXE when receiving XML data from untrusted sources...
Hard-Coded Key Used For Remember-me Token in Opencast
Impact The security configuration in etc/security/mhdefaultorg.xml enables a remember-me cookie based on a hash created from the username, password, and an additional system key. Opencast has hard-coded this system key in the large XML file and never mentions to change this, basically ensuring th...
GitHub Security Lab: CodeQL query for finding CSRF vulnerabilities in Spring applications
This bug was reported directly to GitHub Security Lab...
Vulnerability fixed in Spring Framework
A vulnerability has been fixed in Spring Framework. The vulnerability allows a malicious party to perform a reflected file download RFD attack. The developers of Spring Framework have released updates to fix the vulnerability. More information can be found at the page below:...
Stripo Inc: Open memory dump method leaking customer information ,secret keys , password , source code & admin accounts
Summary: Stripo uses Spring boot for the backend API development , and misconfigured the application to open actuator APIs to the public. This issue is found in 3 domains , don't know if I need to publish 3 reports for that, or just one report , but the domains are :...
Spring Framework 5.0.x < 5.0.16 / 5.1.x < 5.1.13 / 5.2.x < 5.2.3 Spring Framework Reflected File Download Vulnerability. (CVE-2020-5398)
The remote host contains a Spring Framework library version that is 5.0.x prior to 5.0.16 or 5.1.x prior to 5.1.13 or 5.2.x prior to 5.2.3. It is, therefore, affected by a reflected file download vulnerability. An attacker can exploit this tricking user to click on a URL for trusted domain. Upon...
Improper implementation of the session fixation protection in Infinispan
A flaw was found in Infinispan through version 9.4.14.Final. An improper implementation of the session fixation protection in the Spring Session integration can result in incorrect session handling...
GHSA-6X3V-RW2Q-9GX7 Improper implementation of the session fixation protection in Infinispan
A flaw was found in Infinispan through version 9.4.14.Final. An improper implementation of the session fixation protection in the Spring Session integration can result in incorrect session handling...
ai.ylyue:yue-library-webflux (>=j8.2.3.0 <=j11.2.3.3), app.myoss.cloud.boot:myoss-starter-webflux (>=2.3.0.RELEASE <=2.3.1.RELEASE) +616 more potentially affected by CVE-2020-5397 via org.springframework:spring-webflux (>=5.2.0.RELEASE <=5.2.2.RELEASE)
org.springframework:spring-webflux MAVEN version =5.2.0.RELEASE, =j8.2.3.0, =2.3.0.RELEASE, =2.0.8, =0.5.1, =1.1.0, =1.0.0, =1.1.2 - cn.magichand:magichand-common-swagger =1.0.4 and more Source cves: CVE-2020-5397 Source advisory: OSV:GHSA-7PM4-G2QJ-J85X...
ai.ylyue:yue-library-auth-client (>=j8.2.3.0 <=j11.2.3.3), ai.ylyue:yue-library-auth-service (>=j8.2.3.0 <=j11.2.3.3) +3893 more potentially affected by CVE-2020-5397 via org.springframework:spring-webmvc (>=5.2.0.RELEASE <=5.2.2.RELEASE)
org.springframework:spring-webmvc MAVEN version =5.2.0.RELEASE, =j8.2.3.0, =j8.2.3.0, =j8.2.3.0, =2.3.0.RELEASE, =1.1.1, =1.0.0, =1.2.2.RELEASE, =1.2.2.RELEASE, =0.0.9, =0.0.9, =0.0.9, =0.0.9, =0.0.9, =0.0.12 and more Source cves: CVE-2020-5397 Source advisory: OSV:GHSA-7PM4-G2QJ-J85X...
GHSA-7PM4-G2QJ-J85X CSRF attack via CORS preflight requests with Spring MVC or Spring WebFlux
Spring Framework, versions 5.2.x prior to 5.2.3 are vulnerable to CSRF attacks through CORS preflight requests that target Spring MVC spring-webmvc module or Spring WebFlux spring-webflux module endpoints. Only non-authenticated endpoints are vulnerable because preflight requests should not inclu...
CSRF attack via CORS preflight requests with Spring MVC or Spring WebFlux
Spring Framework, versions 5.2.x prior to 5.2.3 are vulnerable to CSRF attacks through CORS preflight requests that target Spring MVC spring-webmvc module or Spring WebFlux spring-webflux module endpoints. Only non-authenticated endpoints are vulnerable because preflight requests should not inclu...
ai.ylyue:yue-library-base (>=Finchley.SR2.SR1 <=Finchley.SR4.1), ai.ylyue:yue-library-base-crypto (>=Finchley.SR4 <=Finchley.SR4.1) +754 more potentially affected by CVE-2020-5398 via org.springframework:spring-webmvc (>=5.0.0.RELEASE <=5.0.15.RELEASE)
org.springframework:spring-webmvc MAVEN version =5.0.0.RELEASE, =Finchley.SR2.SR1, =Finchley.SR4, =Finchley.SR2.SR1, =Finchley.SR2.SR1, =Finchley.SR4, =2.0.3.RELEASE, =2.0.2.RELEASE, =1.0.3.RELEASE, =3.1.0, =3.1.0, =2.0.7, =2.0.11 - ch.rasc:wamp2spring =1.0.0 - ch.rasc:wamp2spring-security =1.0.0...
RFD attack via Content-Disposition header sourced from request input by Spring MVC or Spring WebFlux Application
In Spring Framework, versions 5.2.x prior to 5.2.3, versions 5.1.x prior to 5.1.13, and versions 5.0.x prior to 5.0.16, an application is vulnerable to a reflected file download RFD attack when it sets a "Content-Disposition" header in the response where the filename attribute is derived from use...
ai.ylyue:yue-library-webflux (>=j8.2.3.0 <=j11.2.3.3), app.myoss.cloud.boot:myoss-starter-webflux (>=2.3.0.RELEASE <=2.3.1.RELEASE) +616 more potentially affected by CVE-2020-5398 via org.springframework:spring-webflux (>=5.2.0.RELEASE <=5.2.2.RELEASE)
org.springframework:spring-webflux MAVEN version =5.2.0.RELEASE, =j8.2.3.0, =2.3.0.RELEASE, =2.0.8, =0.5.1, =1.1.0, =1.0.0, =1.1.2 - cn.magichand:magichand-common-swagger =1.0.4 and more Source cves: CVE-2020-5398 Source advisory: OSV:GHSA-8WX2-9Q48-VM9R...
ai.hyacinth.framework:core-service-admin-server (>=0.5.8 <=0.5.21), ai.hyacinth.framework:core-service-gateway-server (>=0.5.8 <=0.5.21) +38 more potentially affected by CVE-2020-5398 via org.springframework:spring-webflux (>=5.1.0.RELEASE <=5.1.12.RELEASE)
org.springframework:spring-webflux MAVEN version =5.1.0.RELEASE, =0.5.8, =0.5.8, =0.5.8, =0.5.0, =1.1.1.RELEASE, =1.0.6.RELEASE, =1.0.0, =1.3.5, =1.0.4.RELEASE, =1.7.0, =1.1.1-Greenwich, =1.1.1-Greenwich, =1.1.2-Greenwich and more Source cves: CVE-2020-5398 Source advisory: OSV:GHSA-8WX2-9Q48-VM9...
ai.ylyue:yue-library-auth-client (>=j8.2.3.0 <=j11.2.3.3), ai.ylyue:yue-library-auth-service (>=j8.2.3.0 <=j11.2.3.3) +3893 more potentially affected by CVE-2020-5398 via org.springframework:spring-webmvc (>=5.2.0.RELEASE <=5.2.2.RELEASE)
org.springframework:spring-webmvc MAVEN version =5.2.0.RELEASE, =j8.2.3.0, =j8.2.3.0, =j8.2.3.0, =2.3.0.RELEASE, =1.1.1, =1.0.0, =1.2.2.RELEASE, =1.2.2.RELEASE, =0.0.9, =0.0.9, =0.0.9, =0.0.9, =0.0.9, =0.0.12 and more Source cves: CVE-2020-5398 Source advisory: OSV:GHSA-8WX2-9Q48-VM9R...
ai.hyacinth.framework:core-service-admin-server (>=0.5.8 <=0.5.21), ai.hyacinth.framework:core-service-config-server (>=0.5.8 <=0.5.21) +490 more potentially affected by CVE-2020-5398 via org.springframework:spring-webmvc (>=5.1.0.RELEASE <=5.1.12.RELEASE)
org.springframework:spring-webmvc MAVEN version =5.1.0.RELEASE, =0.5.8, =0.5.8, =0.5.8, =0.5.8, =0.5.8, =0.5.8, =0.5.0, =0.2.0, =0.4.0, =0.1.0, =0.0.2, =0.0.4-ALPHA - club.gclmit:chaos =1.0.1 and more Source cves: CVE-2020-5398 Source advisory: OSV:GHSA-8WX2-9Q48-VM9R...
GHSA-8WX2-9Q48-VM9R RFD attack via Content-Disposition header sourced from request input by Spring MVC or Spring WebFlux Application
In Spring Framework, versions 5.2.x prior to 5.2.3, versions 5.1.x prior to 5.1.13, and versions 5.0.x prior to 5.0.16, an application is vulnerable to a reflected file download RFD attack when it sets a "Content-Disposition" header in the response where the filename attribute is derived from use...
am.ik.github:reactive-github-client (>=0.0.1 <=0.0.4), capital.scalable:spring-auto-restdocs-core (>=2.0.3 <=2.0.6) +109 more potentially affected by CVE-2020-5398 via org.springframework:spring-webflux (>=5.0.0.RELEASE <=5.0.15.RELEASE)
org.springframework:spring-webflux MAVEN version =5.0.0.RELEASE, =0.0.1, =2.0.3, =B.0.0.1, =B.0.0.1, =B.0.0.1, =B.0.0.1, =2.21.8, =1.6.17, =0.11.2, =2.7.0-RELEASE, =2.7.0-RELEASE, =2.7.0-RELEASE, =0.1.0, =0.14, =0.19 and more Source cves: CVE-2020-5398 Source advisory: OSV:GHSA-8WX2-9Q48-VM9Rhttp...