CVE-2011-2730: Spring Framework Information Disclosure

CVE-2011-2730: Spring Framework Information Disclosure Severity: Variable depending on application. Likely to be low to moderate, may be important. Version affected: 3.0.0 to 3.0.5 2.5.0 to 2.5.6.SEC02 community releases 2.5.0 to 2.5.7.SR01 subscription customers Earlier, unsupported versions may...

Spring Framework表达式语言JSP属性处理信息泄露漏洞(cve-2011-2730)

Bugtraq ID: 49543 CVE ID：CVE-2011-2730 Spring Framework是一个开源的Java／Java EE全功能栈（full-stack）的应用程序框架， 以Apache许可证形式发布，也有.NET平台上的移植版本。 在JSP 2.0之前，表达式语言不被支持。要在基于早期JSP规范的WEB应用程序中使用EL，一些Spring MVC标签提供对Servlet/JSP容易的EL独立支持。默认启用对EL求值。当使用支持EL的容器时，EL中的属性会被求值两次，一次容器另一次为tab。这可导致不可期的敏感信息泄露。 0 SpringSource Spring...

CVE-2011-2894: Spring Framework and Spring Security serialization-based remoting vulnerabilities

CVE-2011-2894: Spring Framework and Spring Security serialization-based remoting vulnerabilities Severity: Critical Versions Affected: Spring Framework: 3.0.0 to 3.0.5 Spring Security: 2.0.0 to 2.0.6 3.0.0 to 3.0.5 Earlier versions may also be affected Description: Several issues have been report...

CVE-2011-2732: Spring Security header injection vulnerability

CVE-2011-2732: Spring Security header injection vulnerability Severity: Important Versions Affected: 2.0.0 to 2.0.6 3.0.0 to 3.0.5 Earlier versions may also be affected Description: Spring Security allows the use of a parameter named "spring-security-redirect" by default to determine the location...

Spring Security - HTTP Header Injection

Spring Security - HTTP Header Injection source: https://www.securityfocus.com/bid/49535/info Spring Security is prone to a vulnerability that allows attackers to inject arbitrary HTTP headers because it fails to sufficiently sanitize input. By inserting arbitrary headers into an HTTP response,...

Spring Security Header Injection

CVE-2011-2732: Spring Security header injection vulnerability Severity: Important Versions Affected: 2.0.0 to 2.0.6 3.0.0 to 3.0.5 Earlier versions may also be affected Description: Spring Security allows the use of a parameter named "spring-security-redirect" by default to determine the location...

Spring Security - HTTP Header Injection

source: https://www.securityfocus.com/bid/49535/info Spring Security is prone to a vulnerability that allows attackers to inject arbitrary HTTP headers because it fails to sufficiently sanitize input. By inserting arbitrary headers into an HTTP response, attackers may be able to launch various...

Spring Source OXM Remote OS Command Injection when XStream and IBM JRE are used

Reference: http://static.springsource.org/spring/docs/3.0.x/spring-framework-reference/html/oxm.htmld0e26722 Product: Spring Source OXM Object/XML Mapping Vendor: VMware Vulnerable Version: 3.0.4 only when XStream and IBM JRE are used Status: Fixed Vendor Notification: 12 October 2010 Vendor Fix:...

Spring Source OXM 3.0.4 Command Injection

Reference: http://static.springsource.org/spring/docs/3.0.x/spring-framework-reference/html/oxm.htmld0e26722 Product: Spring Source OXM Object/XML Mapping Vendor: VMware Vulnerable Version: 3.0.4 only when XStream and IBM JRE are used Status: Fixed Vendor Notification: 12 October 2010 Vendor Fix:...

VMware SpringSource Spring Framework class.classloader Remote Code Execution (CVE-2010-1622)

The vulnerability is caused due to an error in the mechanism used to update the properties of an object with client provided data. A vulnerability has been reported in Spring Framework. A vulnerability has been reported in Spring Framework, which can allow attackers to compromise a vulnerable...

Yahoo! Announces Hack U™ Spring 2011 Series !

Yahoo! is proud to announce the Hack U™ Spring 2011 calendar of events. Join Yahoo! web experts for a week of learning, hacking and fun! You'll hear interesting tech talks, hacking tips and lessons, and get hands-on coding workshops where you'll work with cutting-edge technology. The week's event...

3.0.3): Arbitrary Java code execution via an HTTP request containing a specially-crafted .jar file

SpringSource Spring Framework 2.5.x before 2.5.6.SEC02, 2.5.7 before 2.5.7.SR01, and 3.0.x before 3.0.3 allows remote attackers to execute arbitrary code via an HTTP request containing class.classLoader.URLs0=jar: followed by a URL of a crafted .jar file...

spring-data-commons

It is...

CVE-2010-3700: Spring Security bypass of security constraints

CVE-2010-3700 - Spring Security - Bypassing of security constraints Severity: Important Vendor: SpringSource, a division of VMware Versions affected: Spring Security 3.0.0 to 3.0.3 Spring Security 2.0.0 t0 2.0.5 Acegi Security 1.0.0 to 1.0.7 Description: Spring Security does not consider URL path...

CVE-2010-3700

VMware SpringSource Spring Security 2.x before 2.0.6 and 3.x before 3.0.4, and Acegi Security 1.0.0 through 1.0.7, as used in IBM WebSphere Application Server WAS 6.1 and 7.0, allows remote attackers to bypass security constraints via a path parameter...

Design/Logic Flaw

VMware SpringSource Spring Security 2.x before 2.0.6 and 3.x before 3.0.4, and Acegi Security 1.0.0 through 1.0.7, as used in IBM WebSphere Application Server WAS 6.1 and 7.0, allows remote attackers to bypass security constraints via a path parameter...

CVE-2010-3700

CVE-2010-3700 affects Spring Security (SpringSource) 2.x up to 2.0.5 and 3.x up to 3.0.3, and Acegi Security 1.0.0–1.0.7, notably when used in IBM WebSphere Application Server 6.1/7.0. The root cause is that URL path parameters are not consistently excluded from getPathInfo(), allowing an attacke...

CVE-2010-3700

VMware SpringSource Spring Security 2.x before 2.0.6 and 3.x before 3.0.4, and Acegi Security 1.0.0 through 1.0.7, as used in IBM WebSphere Application Server WAS 6.1 and 7.0, allows remote attackers to bypass security constraints via a path parameter...

Spring Security Security Constraint Bypass

CVE-2010-3700 - Spring Security - Bypassing of security constraints Severity: Important Vendor: SpringSource, a division of VMware Versions affected: Spring Security 3.0.0 to 3.0.3 Spring Security 2.0.0 t0 2.0.5 Acegi Security 1.0.0 to 1.0.7 Description: Spring Security does not consider URL path...

Mandriva Update for cyrus-imapd MDVA-2010:208 (cyrus-imapd)

Check for the Version of cyrus-imapd OpenVAS Vulnerability Test Mandriva Update for cyrus-imapd MDVA-2010:208 cyrus-imapd Authors: System Generated Check Copyright: Copyright c 2010 Greenbone Networks GmbH, http://www.greenbone.net This program is free software; you can redistribute it and/or...