CVE-2019-3778

Spring Security OAuth, versions 2.3 prior to 2.3.5, and 2.2 prior to 2.2.4, and 2.1 prior to 2.1.4, and 2.0 prior to 2.0.17, and older unsupported versions could be susceptible to an open redirector attack that can leak an authorization code. A malicious user or attacker can craft a request to th...

Authorization

Spring Security OAuth, versions 2.3 prior to 2.3.5, and 2.2 prior to 2.2.4, and 2.1 prior to 2.1.4, and 2.0 prior to 2.0.17, and older unsupported versions could be susceptible to an open redirector attack that can leak an authorization code. A malicious user or attacker can craft a request to th...

CVE-2019-3778

Spring Security OAuth, versions 2.3 prior to 2.3.5, and 2.2 prior to 2.2.4, and 2.1 prior to 2.1.4, and 2.0 prior to 2.0.17, and older unsupported versions could be susceptible to an open redirector attack that can leak an authorization code. A malicious user or attacker can craft a request to th...

Security Bulletin: IBM Security Guardium is affected by Using Components with Known Vulnerabilities vulnerabilities

Summary IBM Security Guardium has addressed the following vulnerabilities. Vulnerability Details CVEID: CVE-2016-5007 DESCRIPTION: Pivotal Spring Security and Spring Framework could provide weaker than expected security, caused by the difference in the strictness of the pattern matching mechanism...

Security Bulletin: FileNet CMIS (FNCMIS) leveraging Spring Framework is vulnerable to a denial of service caused by improper handling of range request by the ResourceHttpRequestHandler

Summary FileNet Content Management Interoperability Services CMIS, which ships with IBM Content Navigator, is affected by the following vulnerability: Spring Framework’s improper handling of ResourceHttpRequestHandler could result in denial of service condition. Vulnerability Details CVE-ID:...

Security Bulletin: Public disclosed vulnerability from Spring Framework affects IBM Spectrum LSF Explorer

Summary Public disclosed vulnerability from Spring Framework affects IBM Spectrum LSF Explorer Vulnerability Details CVE-ID:CVE-2018-15756 Description: Pivotal Spring Framework is vulnerable to a denial of service, caused by improper handling of range request by the ResourceHttpRequestHandler. By...

Security Bulletin: Public disclosed vulnerability from Spring Framework affects IBM Spectrum LSF Application Center

Summary Public disclosed vulnerability from Spring Framework affects IBM Spectrum LSF Application Center Vulnerability Details CVE-ID:CVE-2018-15756 Description: Pivotal Spring Framework is vulnerable to a denial of service, caused by improper handling of range request by the...

Open Redirection

spring-security-oauth2 is vulnerable to open redirection. A lack of validation on the redirecturi parameter allows an attacker to manipulate the redirect URI by sending a malicious request to the authorization endpoint using the authorization code grant type and cause the authorization server to...

Pivotal Spring Framework spring-messaging Module STOMP Remote Code Execution (CVE-2018-1270)

A remote code execution vulnerability has been reported in Pivotal Spring Framework. The vulnerability is due to improper handling of user-supplied input to a STOMP broker in the spring-messaging module. A remote, unauthenticated attacker could exploit this vulnerability by sending maliciously...

CVE-2019-3774

Spring Batch versions 3.0.9, 4.0.1, 4.1.0, and older unsupported versions, were susceptible to XML External Entity Injection XXE when receiving XML data from untrusted sources...

Low severity vulnerability that affects org.springframework.batch:spring-batch-core

Spring Batch versions 3.0.9, 4.0.1, 4.1.0, and older unsupported versions, were susceptible to XML External Entity Injection XXE when receiving XML data from untrusted sources...

cloud.altemista.fwk.batch:cloud-altemistafwk-core-batch-spring (>=3.0.0.RELEASE <=3.0.1.RELEASE), cloud.altemista.fwk.batch:cloud-altemistafwk-core-batch-spring-conf (>=3.0.0.RELEASE <=3.0.1.RELEASE) +46 more potentially affected by CVE-2019-3774 via org.springframework.batch:spring-batch-core (>=4.0.0.RELEASE <=4.0.1.RELEASE)

org.springframework.batch:spring-batch-core MAVEN version =4.0.0.RELEASE, =3.0.0.RELEASE, =3.0.0.RELEASE, =3.0.0, =1.0.0, =1.0.1, =1.0.0, =1.0.1, =2.0.0.RELEASE, =2.0.0.RELEASE, =2.0.1.RELEASE and more Source cves: CVE-2019-3774 Source advisory: OSV:G...

be.dnsbelgium:rdap-server (>=0.3.3 <=1.1.0), com.bazoud.metrics:metrics-spring-batch (=1.0) +135 more potentially affected by CVE-2019-3774 via org.springframework.batch:spring-batch-core (>=1.0.0.FINAL <=3.0.0.RELEASE)

org.springframework.batch:spring-batch-core MAVEN version =1.0.0.FINAL, =0.3.3, =0.0.4, =0.2.4, =0.1.0, =1.0.2, =1.0.2, =0.3.1, =0.2.0, =0.2.3 and more Source cves: CVE-2019-3774 Source advisory: OSV:GHSA-3WC8-659G-R88Q...

com.github.chrisgleissner:spring-batch-rest-api (>=1.0.3 <=1.2.7), com.github.chrisgleissner:spring-batch-rest-example (>=1.0.3 <=1.2.7) +7 more potentially affected by CVE-2019-3774 via org.springframework.batch:spring-batch-core (=4.1.0.RELEASE)

org.springframework.batch:spring-batch-core MAVEN version =4.1.0.RELEASE is affected by a known vulnerability. The following packages have a transitive dependency on org.springframework.batch:spring-batch-core and may be impacted: - com.github.chrisgleissner:spring-batch-rest-api =1.0.3, =1.0.3,...

com.makeandbuild:persistence (=1.0.47), com.makeandbuild:propconfig (=1.0.5) +5 more potentially affected by CVE-2019-3773 via org.springframework.ws:spring-ws (=2.1.0.RELEASE)

org.springframework.ws:spring-ws MAVEN version =2.1.0.RELEASE is affected by a known vulnerability. The following packages have a transitive dependency on org.springframework.ws:spring-ws and may be impacted: - com.makeandbuild:persistence =1.0.47 - com.makeandbuild:propconfig =1.0.5 -...

GHSA-8222-6FC8-MHVF Vulnerability that affects org.springframework.ws:spring-ws and org.springframework.ws:spring-xml

Spring Web Services, versions 2.4.3, 3.0.4, and older unsupported versions of all three projects, were susceptible to XML External Entity Injection XXE when receiving XML data from untrusted sources...

Vulnerability that affects org.springframework.ws:spring-ws and org.springframework.ws:spring-xml

Spring Web Services, versions 2.4.3, 3.0.4, and older unsupported versions of all three projects, were susceptible to XML External Entity Injection XXE when receiving XML data from untrusted sources...

cloud.altemista.fwk.integration:cloud-altemistafwk-core-integration-ws-conf (>=3.0.0.RELEASE <=3.0.1.RELEASE), com.antheminc.oss:nimbus-starter (>=1.3.0 <=1.3.2.M1) +520 more potentially affected by CVE-2019-3773 via org.springframework.ws:spring-xml (>=3.0.0.RELEASE <=3.0.5.RELEASE)

org.springframework.ws:spring-xml MAVEN version =3.0.0.RELEASE, =3.0.0.RELEASE, =1.3.0, =2.2.1, =2.2.1, =2.2.1, =2.2.1, =2.2.1, =2.2.1, =2.2.1, =2.2.1, =2.2.1, =2.2.1, =2.3.3 - com.coherentlogic.cmr.api:cmr-api-core =2.0.3-RELEASE - com.coherentlogic.cmr.api:cmr-api-core-boot =2.0.3-RELEASE -...

com.ahome-it:ahome-tooling-server-core (>=1.0.83-RC1 <=1.1.36-RELEASE), com.ahome-it:ahome-tooling-server-hazelcast (>=1.0.88-RC1 <=1.1.27-RELEASE) +684 more potentially affected by CVE-2019-3773 via org.springframework.ws:spring-xml (>=1.0-m2 <=2.4.3.RELEASE)

org.springframework.ws:spring-xml MAVEN version =1.0-m2, =1.0.83-RC1, =1.0.88-RC1, =1.0.83-RC1, =1.1.0-RELEASE, =1.0.83-RC1, =1.0.83-RC1, =1.1.7, =1.1.7, =1.1.7, =1.1.7, =1.1.7, =1.1.7, =1.2.0.M5 - com.coherentlogic.cmr.api:cmr-api-core =2.0.2.1-RELEASE - com.coherentlogic.cmr.api:cmr-api-core-bo...

com.ahome-it:ahome-tooling-server-core (>=1.0.110-RELEASE <=1.1.3-RELEASE), com.ahome-it:ahome-tooling-server-hazelcast (>=1.0.111-RELEASE <=1.1.3-RELEASE) +19 more potentially affected by CVE-2019-3772 via org.springframework.integration:spring-integration-ws (>=1.0.1.RELEASE <=4.3.17.RELEASE)

org.springframework.integration:spring-integration-ws MAVEN version =1.0.1.RELEASE, =1.0.110-RELEASE, =1.0.111-RELEASE, =1.0.111-RELEASE, =1.1.0-RELEASE, =1.0.111-RELEASE, =1.0.111-RELEASE, =1.0.19-RELEASE, =1.2.2-RELEASE, =1.2.23-RELEASE, =1.1.0-RELEASE, =1.1.0-RELEASE, =1.2.1-RELEASE, =0.0.3,...