How to Spring Clean Your Digital Clutter to Protect Yourself

You don't have to get your hands dirty to do the most important spring cleaning of the year...

ai.foremast.metrics:foremast-spring-boot-15x-starter (>=0.1.8 <=0.1.12), ai.snips:play-mongo-bson_2.12 (>=0.5 <=0.5.1) +6217 more potentially affected by CVE-2019-12086 via com.fasterxml.jackson.core:jackson-databind (>=2.8.0 <=2.8.11.3)

com.fasterxml.jackson.core:jackson-databind MAVEN version =2.8.0, =0.1.8, =0.5, =2.3.0, =1.5.6, =4.2.1, =4.4.1, =1.0.0.RELEASE, =0.4, =0.4, =0.4, =0.4, =0.4, =0.4, =0.4, =0.4, =0.9 and more Source cves: CVE-2019-12086 Source advisory: OSV:GHSA-5WW9-J83M-Q7QX...

com.okta.spring.examples:okta-spring-boot-cloud-config-example (>=1.0.0 <=1.1.0), com.yoozoo.protoconf:protoconf-java (>=0.2.2 <=0.2.3) +9 more potentially affected by CVE-2019-3799 via org.springframework.cloud:spring-cloud-config-server (>=2.0.0.RELEASE <=2.0.3.RELEASE)

org.springframework.cloud:spring-cloud-config-server MAVEN version =2.0.0.RELEASE, =1.0.0, =0.2.2, =1.0.2, =0.0.2, =Darwin.RELEASE, =0.2.1.RELEASE, =2.0.0.RELEASE, =2.0.3.RELEASE - xyz.weechang:moreco-cloud-config =0.0.1 Source cves: CVE-2019-3799 Source advisory: OSV:GHSA-4X49-W62V-76Q7...

Path Traversal in Spring Cloud Config

Spring Cloud Config, versions 2.1.x prior to 2.1.2, versions 2.0.x prior to 2.0.4, and versions 1.4.x prior to 1.4.6, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a...

cn.home1:oss-configserver (>=1.0.6.OSS <=1.0.7.OSS), cn.home1:spring-cloud-config-monitor (>=0.0.1 <=1.0.1.U1) +166 more potentially affected by CVE-2019-3799 via org.springframework.cloud:spring-cloud-config-server (>=1.1.0.RELEASE <=1.4.5.RELEASE)

org.springframework.cloud:spring-cloud-config-server MAVEN version =1.1.0.RELEASE, =1.0.6.OSS, =0.0.1, =0.0.1, =1.1.0-RELEASE, =1.0.0, =1.0.0, =1.5.0-Beta, =0.8.3, =0.8.3, =0.8.3, =0.8.3, =0.10.0 and more Source cves: CVE-2019-3799 Source advisory: OSV:GHSA-4X49-W62V-76Q7...

GHSA-4X49-W62V-76Q7 Path Traversal in Spring Cloud Config

Spring Cloud Config, versions 2.1.x prior to 2.1.2, versions 2.0.x prior to 2.0.4, and versions 1.4.x prior to 1.4.6, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a...

ai.hyacinth.framework:core-service-config-server (=0.5.0), org.apereo.cas:cas-server-support-configuration-cloud-amqp (>=6.0.1 <=6.1.0-RC2) +12 more potentially affected by CVE-2019-3799 via org.springframework.cloud:spring-cloud-config-server (>=2.1.0.RELEASE <=2.1.1.RELEASE)

org.springframework.cloud:spring-cloud-config-server MAVEN version =2.1.0.RELEASE, =6.0.1, =6.0.1, =6.0.1, =Einstein.RELEASE, =2.1.0.RELEA...

VulnCheck KEV: CVE-2017-8046

Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 Ingalls SR9, versions prior to 3.0.1 Kay SR1 and Spring Boot versions prior to 1.5.9, 2.0 M6 can use specially crafted JSON data to run arbitrary Java code...

DLA-1794-1 libspring-security-2.0-java - security update

Bulletin has no description...

Information Disclosure

spring-data-jpa is vulnerable to information disclosure. A lack of validation and sanitization of wildcard characters when using ExampleMatcher.StringMatcher.STARTING, ExampleMatcher.StringMatcher.ENDING or ExampleMatcher.StringMatcher.CONTAINING allows a user to retrieve more results than expect...

Oracle Enterprise Manager Ops Center (Apr 2019 CPU)

The version of Oracle Enterprise Manager Cloud Control installed on the remote host is affected by multiple vulnerabilities in Enterprise Manager Base Platform component: - A deserialization vulnerability in Apache Commons FileUpload allows for remote code execution. CVE-2016-1000031 - An...

Exploit kits: spring 2019 review

Exploit kit activity remains fairly unchanged since our last winter review in terms of active distribution campaigns. But this spring edition will feature a new exploit kit and another atypical EK, in that it specifically goes after routers. The main driver behind these drive-by download attacks...

GHSA-JGMR-WRWX-MGFJ Exposure of Sensitive Information to an Unauthorized Actor and SQL Injection in Spring Data JPA

This affects Spring Data JPA in versions up to and including 2.1.5, 2.0.13 and 1.11.19. Derived queries using any of the predicates ?startingWith?, ?endingWith? or ?containing? could return more results than anticipated when a maliciously crafted query parameter value is supplied. Also, LIKE...

ai.hyacinth.framework:core-service-jpa-support (>=0.5.0 <=0.5.21), ai.hyacinth.framework:core-service-trigger-server (>=0.5.0 <=0.5.21) +644 more potentially affected by CVE-2019-3797 via org.springframework.data:spring-data-jpa (>=2.1.0.RELEASE <=2.1.5.RELEASE)

org.springframework.data:spring-data-jpa MAVEN version =2.1.0.RELEASE, =0.5.0, =0.5.0, =0.0.4, =0.0.8 and more Source cves: CVE-2019-3797 Source advisory: OSV:GHSA-J...

ch.sharedvd.tipi:tipi-engine (=2.0.0), cn.jbone:jbone-common (=1.0.0) +158 more potentially affected by CVE-2019-3797 via org.springframework.data:spring-data-jpa (>=2.0.0.RELEASE <=2.0.13.RELEASE)

org.springframework.data:spring-data-jpa MAVEN version =2.0.0.RELEASE, =1.2.0, =0.1.0, =1.3.0, =1.1.1, =1.1.1, =1.1.1, =1.1.1, =1.1.1, =1.1.1, =1.1.1, =1.1.3 and more Source cves: CVE-2019-3797 Source advisory: OSV:GHSA-JGMR-WRWX-MGFJ...

Exposure of Sensitive Information to an Unauthorized Actor and SQL Injection in Spring Data JPA

This affects Spring Data JPA in versions up to and including 2.1.5, 2.0.13 and 1.11.19. Derived queries using any of the predicates ?startingWith?, ?endingWith? or ?containing? could return more results than anticipated when a maliciously crafted query parameter value is supplied. Also, LIKE...

am.ik.home:uaa-server (>=1.0.0 <=1.9.0), au.com.mountain-pass:hyperstate-client (>=1 <=10) +489 more potentially affected by CVE-2019-3797 via org.springframework.data:spring-data-jpa (>=1.0.1.RELEASE <=1.11.1.RELEASE)

org.springframework.data:spring-data-jpa MAVEN version =1.0.1.RELEASE, =1.0.0, =1, =1, =1, =1, =1, =0.1.0, =1.0.0, =1.6, =1.1.10, =3.0.1.3, =3.0.1.11 and more Source cves: CVE-2019-3797 Source advisory: OSV:GHSA-JGMR-WRWX-MGFJ...

Pivotal Software Spring Data JPA Information Disclosure Vulnerability

Pivotal Software Spring Data JPA is the United States Pivotal Software, Inc. set of applications used to simplify and create JPA-based data access layer development. An information disclosure vulnerability exists in Pivotal Software Spring Data JPA. The vulnerability stems from errors such as...

CVE-2019-3799

Spring Cloud Config, versions 2.1.x prior to 2.1.2, versions 2.0.x prior to 2.0.4, and versions 1.4.x prior to 1.4.6, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a...

xss vulnerability in jeeweb frontend

JeeWeb is an agile development system based on SpringBoot 2+Spring+Mybatis+Hibernate An xss vulnerability exists in the frontend of jeeweb, which can be exploited by an attacker to obtain an administrator cookie...