190 matches found
CVE-2023-34036 Forwarded header exploit with Spring HATEOAS on WebFlux
Reactive web applications that use Spring HATEOAS to produce hypermedia-based responses might be exposed to malicious forwarded headers if they are not behind a trusted proxy that ensures correctness of such headers, or if they don't have anything else in place to handle and possibly discard...
CVE-2023-34036
CVE-2023-34036 affects reactive Spring WebFlux applications that use Spring HATEOAS to generate hypermedia links. The root cause is improper handling of forwarded headers (Forwarded, X-Forwarded-Host/Port/Proto) by the application stack, which can allow spoofing if there is no trusted proxy or ad...
Spring HATEOAS 安全漏洞
Spring Framework is the U.S. Spring team of a set of open source Java, JavaEE application framework. The framework helps developers build high-quality applications . A security vulnerability exists in Spring HATEOAS versions 1.5.4 and earlier, 2.0.4 and earlier, and 2.1.0, which stems from the fa...
Context Propagation with Project Reactor 3 - Unified Bridging between Reactive and Imperative
This post is a part of a series: 1. The Basics 2. The bumpy road of Spring Cloud Sleuth 3. Unified Bridging between Reactive and Imperative We concluded the last article with the thought that Spring Cloud Sleuth’s MANUAL context propagation strategy is both performant and provides correct...
Context Propagation with Project Reactor 2 - The bumpy road of Spring Cloud Sleuth
This post is a part of a series: 1. The Basics 2. The bumpy road of Spring Cloud Sleuth 3. Unified Bridging between Reactive and Imperative Spring Cloud Sleuth recently became Micrometer Tracing, part of the Micrometer project. Most of the tracing instrumentation is centered within Micrometer und...
Microsoft Incident Response Retainer is generally available
The task of securing organizations is constantly changing and getting more complex. Many organizations don’t have the time, resources, or expertise to build an in-house incident response program. For customers that want help remediating an especially complex breach or avoiding one altogether,...
Microsoft Incident Response Retainer is generally available
The task of securing organizations is constantly changing and getting more complex. Many organizations don’t have the time, resources, or expertise to build an in-house incident response program. For customers that want help remediating an especially complex breach or avoiding one altogether,...
Context Propagation with Project Reactor 1 - The Basics
This post is a part of a series: 1. The Basics 2. The bumpy road of Spring Cloud Sleuth 3. Unified Bridging between Reactive and Imperative Spring Boot 3 and Spring Framework 6 brought us a unified and consistent way to enable Observability in applications that use Micrometer. The evolution from...
This Week in Spring - March 21st, 2023
Hi, Spring fans! Welcome to another rip roaring installment of This Week in Spring! It's March 21st and today they announced Java 20! It's an exciting time to be a Java developer. Java 20, of course, is just another amazing installment before Java 21, which comes out in six short months, includin...
This Week in Spring - March 7th, 2023
Hi, Spring fans! Welcome to another installment of This Week in Spring! It's an amazing week, and this week we've got a lot to look at. Let's dive right into it. Spring Cloud Function for Azure Function Spring Data 2022.0.3 and 2021.2.9 released Spring R2DBC for Reactive Relational Databases in...
Information Disclosure
resteasy-reactive-common is vulnerable to Information Disclosure. The vulnerability exists because the readFrom function in FileBodyHandler.java creates a temporary file with insecure permissions, which allows a local user to read the temporary file created...
br.com.labbs:quarkus-monitor-reactive (=1.0.4), br.com.labbs:quarkus-monitor-reactive-deployment (=1.0.4) +276 more potentially affected by CVE-2023-0481 via io.quarkus.resteasy.reactive:resteasy-reactive-common (>=1.11.0.Beta1 <=3.0.0.Alpha3)
io.quarkus.resteasy.reactive:resteasy-reactive-common MAVEN version =1.11.0.Beta1, =1.0.2, =1.0.2, =1.0.2, =1.3.2, =1.0.132, =1.0.132, =1.0.133, =1.0.42, =1.0.42, =1.0.42, =1.3.2, =1.0.22, =1.0.22, =1.3.3 and more Source cves: CVE-2023-0481 Source advisory: OSV:GHSA-J75R-VF64-6RRH...
RestEasy Reactive implementation of Quarkus allows Creation of Temporary File With Insecure Permissions
In RestEasy Reactive implementation of Quarkus the insecure File.createTempFile is used in the FileBodyHandler class which creates temp files with insecure permissions that could be read by a local user...
CVE-2023-0481
In RestEasy Reactive implementation of Quarkus the insecure File.createTempFile is used in the FileBodyHandler class which creates temp files with insecure permissions that could be read by a local user...
CVE-2023-0481
In RestEasy Reactive implementation of Quarkus the insecure File.createTempFile is used in the FileBodyHandler class which creates temp files with insecure permissions that could be read by a local user...
Malicious Package
Overview reactive-cashflow is a malicious package. The package's name is based on existing repositories, namespaces, or components used by popular companies in an effort to trick employees into downloading it, also known as 'dependency confusion'. Therefore, you're only vulnerable if this package...
CVE-2023-0481
In RestEasy Reactive implementation of Quarkus the insecure File.createTempFile is used in the FileBodyHandler class which creates temp files with insecure permissions that could be read by a local user...
This Week in Spring - December 13th, 2022
Hi, Spring fans! Welcome to another installment of This Week in Spring! I truly, absolutely, can not believe that were nearly done with the year already! Have you made your new years resolutions? Submitted your expense reports? Its that time of the year when Im going to start focusing on staying...
Jenkins Active Choices Plugin Cross-Site Scripting (CVE-2021-21699)
A stored cross-site scripting vulnerability exists in Jenkins Active Choices Plugin. This vulnerability is due to insufficient validation of parameter name of reactive parameters and dynamic reference parameters...
Malicious code in reactive-cashflow (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 329d1725ab9b283eb626b5066e0e9412decaa5422ffefd48dc5b3ab77c20562d Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...