6505 matches found
Pivotal Software Spring Framework Directory Traversal Vulnerability
Pivotal Software Spring Framework is the U.S. Pivotal Software, Inc. of a set of open source Java, Java EE application framework. The framework helps developers build high-quality applications . A directory traversal vulnerability exists in Pivotal Software Spring Framework, which stems from the...
CVE-2016-9878
It was found that ResourceServlet in Spring Framework does not sanitize the paths that have been provided properly. An attacker can utilize this flaw to conduct a directory traversal attacks...
Unauthorised Modification Of Permission Scope
spring-security-oauth2 is vulnerable to unauthorised modification of scope. A malicious user can submit a scope parameter during token request, which will be accepted by the server. This allows the malicious user to gain a wider scope of permissions when they authenticate...
Pivotal Spring Security OAuth SpelView Code Execution (CVE-2016-4977)
A remote code execution vulnerability exists in Pivotal Spring Security OAuth. The vulnerability is caused when processing authorization requests using the whitelabel views and when the responsetype parameter value is executed as Spring SpEL. This enables a malicious user to trigger remote code...
Spring Data JPA Blind SQL Injection Vulnerability
PoC for blind SQL injection bug found in Solita Webhack 2016. Founders: Niklas Särökaari, Joona Immonen Analysis: Arto Santala, Niklas Särökaari, Joona Immonen, Antti Virtanen, Michael Holopainen PoC: Antti Ahola, Antti Virtanen CVE: https://pivotal.io/security/cve-2016-6652 This has been fixed i...
CVE-2 0 1 6-4 9 7 7: RCE in Spring Security Oauth vulnerability analysis-vulnerability warning-the black bar safety net
Version affected Pivotal Spring Security OAuth 2.0 – 2.0.9 Pivotal Spring Security OAuth 1.0 – 1.0.5 Background A few months ago, I for one use Spring Security OAuth framework for authorization of the Web application were tested. In my research, I discovered some issues, including remote code...
Spring Security Oauth remote code execution vulnerability
Author: p0wd3r 知道创宇404安全实验室 Date: 2016-10-17 0x00 漏洞概述 1.漏洞简介 Spring Security OAuth是为Spring框架提供安全认证支持的一个模块,在7月5日其维护者发布了这样一个升级公告,主要说明在用户使用Whitelabel views来处理错误时,攻击者在被授权的情况下可以通过构造恶意参数来远程执行命令。漏洞的发现者在10月13日公开了该漏洞的挖掘记录。 2.漏洞影响 授权状态下远程命令执行 3.影响版本 2.0.0 to 2.0.9 1.0.0 to 1.0.5 0x01 漏洞复现 1. 环境搭建 bash...
Pivotal Spring Data JPA SQL Injection Vulnerability
Pivotal is a new company formed by EMC and VMware. A SQL injection vulnerability exists in Pivotal Spring Data JPA due to the program's inability to adequately clean user input data. An attacker could exploit the vulnerability to access and modify data...
Jndi injection and Spring RCE vulnerability analysis-vulnerability warning-the black bar safety net
Foreword Because before has been traveling, and haven't done the research, eleven during the re-focus of the 2 0 1 6 BlackHat the above subject, wherein jndi injection caught my attention, this paper mainly divided into the following 3 sections, the understanding of jndi, analysis jndi injection...
Important: Red Hat Security Advisory: Red Hat JBoss Fuse 6.3 security update
Red Hat JBoss Fuse 6.3, which fixes multiple security issues and includes several bug fixes and enhancements, is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base...
Framework: denial-of-service attack with XML input
A denial of service flaw was found in the way Spring processes inline DTD declarations. A remote attacker could submit a specially crafted XML file that would cause out-of-memory errors when parsed...
Important: Red Hat Security Advisory: Red Hat JBoss A-MQ 6.3 security update
Red Hat JBoss A-MQ 6.3, which fixes multiple security issues and includes several bug fixes and enhancements, is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base...
Framework: denial-of-service attack with XML input
A denial of service flaw was found in the way Spring processes inline DTD declarations. A remote attacker could submit a specially crafted XML file that would cause out-of-memory errors when parsed...
CVE-2016-6652
SQL injection vulnerability in Pivotal Spring Data JPA before 1.9.6 Gosling SR6 and 1.10.x before 1.10.4 Hopper SR4, when used with a repository that defines a String query using the @Query annotation, allows attackers to execute arbitrary JPQL commands via a sort instance with a function call...
CVE-2016-6652
SQL injection vulnerability in Pivotal Spring Data JPA before 1.9.6 Gosling SR6 and 1.10.x before 1.10.4 Hopper SR4, when used with a repository that defines a String query using the @Query annotation, allows attackers to execute arbitrary JPQL commands via a sort instance with a function call...
Sql injection
SQL injection vulnerability in Pivotal Spring Data JPA before 1.9.6 Gosling SR6 and 1.10.x before 1.10.4 Hopper SR4, when used with a repository that defines a String query using the @Query annotation, allows attackers to execute arbitrary JPQL commands via a sort instance with a function call...
CVE-2016-6652
SQL injection vulnerability in Pivotal Spring Data JPA before 1.9.6 Gosling SR6 and 1.10.x before 1.10.4 Hopper SR4, when used with a repository that defines a String query using the @Query annotation, allows attackers to execute arbitrary JPQL commands via a sort instance with a function call...
CVE-2016-6652
The CVE-2016-6652 vulnerability affects Spring Data JPA prior to 1.9.6 (Gosling SR6) and 1.10.x prior to 1.10.4 (Hopper SR4). When using a repository method that defines a String query with @Query, an attacker can execute arbitrary JPQL commands through a sort parameter (via QueryUtils.applySorti...
Spring Security OAuth Remote Command Execution Vulnerability
Spring is a lightweight Java development framework . Security OAuth provides a Spring Security authorization filter . A remote command execution vulnerability exists in Spring Security OAuth that could be exploited by an attacker to execute arbitrary code in the context of an affected application...
Framework: denial-of-service attack with XML input
A denial of service flaw was found in the way Spring processes inline DTD declarations. A remote attacker could submit a specially crafted XML file that would cause out-of-memory errors when parsed...