K27053426: Spring data XML vulnerability CVE-2018-1259

Security Advisory Description Spring Data Commons, versions 1.13 prior to 1.13.12 and 2.0 prior to 2.0.7, used in combination with XMLBeam 1.4.14 or earlier versions, contains a property binder vulnerability caused by improper restriction of XML external entity references as underlying library...

This Week in Spring - February 21, 20223

Hi, Spring fans! Welcome to another installment of This Week in Spring! How're you? I almost forgot today was Tuesday! Here in the US, we had a three day weekend for President's day, and also I've been streaming for a few hours every day or almost every day on my little YouTube channel so the day...

SUSE CVE-2017-8046

Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 Ingalls SR9, versions prior to 3.0.1 Kay SR1 and Spring Boot versions prior to 1.5.9, 2.0 M6 can use specially crafted JSON data to run arbitrary Java code...

Spring Cloud Azure 5.0 is now Generally Available

Were very pleased to announce that Spring Cloud Azure 5.0 is now generally available. This major release includes the following features, improvements, and documentation updates: Compatible with Spring Boot 3 and Spring Cloud 2022.0.0 Supports Passwordless Connections Updated Azure for Spring...

Spring Cloud Azure 5.0 is now Generally Available

We're very pleased to announce that Spring Cloud Azure 5.0 is now generally available. This major release includes the following features, improvements, and documentation updates: Compatible with Spring Boot 3 and Spring Cloud 2022.0.0 Supports Passwordless Connections Updated Azure for Spring...

Spring Cloud Azure 5.0 is now Generally Available

We're very pleased to announce that Spring Cloud Azure 5.0 is now generally available. This major release includes the following features, improvements, and documentation updates: Compatible with Spring Boot 3 and Spring Cloud 2022.0.0 Supports Passwordless Connections Updated Azure for Spring...

This Week in Spring - SpringOne Essentials 2023 edition - January 24th, 2023

Hi, Spring fans! Welcome to another installment of This Week in Spring! Today is a very day for you see, today we kick off SpringOne Essentials, the online incarnation of SpringOne, online. Well see you live, on stream, in just a few hours!. SpringOne Essentials is going to be amazing, but before...

This Week in Spring - SpringOne Essentials 2023 edition - January 24th, 2023

Hi, Spring fans! Welcome to another installment of This Week in Spring! Today is a very day for you see, today we kick off SpringOne Essentials, the online incarnation of SpringOne, online. We'll see you live, on stream, in just a few hours!. SpringOne Essentials is going to be amazing, but befor...

This Week in Spring - January 17th, 2023

Hi, Spring fans! Welcome to another installment of This Week in Spring! I went to Helsinki, Finland, last week, and this week Im in Atlanta, Georgia, to speak at the Atlanta Java User Group. And, of course, next week, Ill be in New York to join a viewing party for the airing of SpringOne...

This Week in Spring - January 17th, 2023

Hi, Spring fans! Welcome to another installment of This Week in Spring! I went to Helsinki, Finland, last week, and this week I'm in Atlanta, Georgia, to speak at the Atlanta Java User Group. And, of course, next week, I'll be in New York to join a viewing party for the airing of SpringOne...

Security Bulletin: IBM Planning Analytics Workspace is affected by vulnerabilities in Node.js and Spring Data MongoDB

Summary IBM Planning Analytics Workspace is affected by vulnerabilties in Node.js and Spring Data MongoDB CVE-2022-32212, CVE-2022-32213, CVE-2022-32223, CVE-2022-32214, CVE-2022-32222, CVE-2022-32215, CVE-2022-22980 Vulnerability Details CVEID:CVE-2022-32212 DESCRIPTION: Node.js could allow a...

The vulnerability of the SimpleEvaluationContext class in the Spring Data Commons data management platform and the Spring Data REST framework for creating web services allows a attacker to execute arbitrary code.

The vulnerability of the SimpleEvaluationContext class in the Spring Data Commons data management platform and the Spring Data REST web framework is related to insufficient validation of input data. Exploiting this vulnerability allows an attacker to execute arbitrary code by sending specially...

This Week in Spring - November 8th, 2022

Hi, Spring fans! Welcome to another installment of This Week in Spring! Ive been busy this last week! Ive been visiting with customers and talking to the community here in South East Asia. I was in Malaysia last week, and now Im in Bangkok, Thailand. Im near the end of my time here in SE Asia,...

This Week in Spring - October 18th, 2022

Hi, Spring fans! Howre you doin? Im doin alright! Last week I was in Antwerp, Belgium, for the amazing Devoxx BE show. I did a presentation with my friend and hero James Ward on Spring and Kotlin that was voted third most-liked talk at a show with more than 250 speakers! That was a personal caree...

Spring at JavaOne 2022

Hi, Spring fans! Its Sunday the 16th of October as I write this and Im winging my way to sunny Las Vegas, Nevada, where Ill be attending and presenting at the first JavaOne show in years! It didnt exist as the JavaOne we know and love for years, even before the pandemic interrupted life as we kno...

Information Disclosure

spring-data-rest-webmvc is vulnerable to information disclosure. The vulnerability exists due to the improper implementation of the JSON patch in the library, allowing an attacker to get information about the hidden entity attributes through maliciously crafted HTTP requests...

Spring Data REST can expose hidden entity attributes

Applications that allow HTTP PATCH access to resources exposed by Spring Data REST in versions 3.6.0 - 3.6.6, 3.7.0 - 3.7.2, and older unsupported versions, if an attacker knows about the structure of the underlying domain model, they can craft HTTP requests that expose hidden entity attributes...

ai.apiverse:apipulse (=1.0.1), com.contentgrid.spring:contentgrid-spring-boot-starter (>=0.4.2 <=0.6.1) +53 more potentially affected by CVE-2022-31679 via org.springframework.data:spring-data-rest-core (>=3.7.0 <=3.7.2)

org.springframework.data:spring-data-rest-core MAVEN version =3.7.0, =0.4.2, =0.4.2, =0.4.2, =5.12.1, =2.4.0, =2.4.0, =2.4.0, =3.0.3, =3.0.3, =3.0.3, =3.0.3, =3.0.3, =3.0.3, =3.1.0 - com.okta.spring.examples:okta-spring-boot-hosted-code-flow-example =2.1.6 and more Source cves: CVE-2022-31679...

app.commerce-io:spring-boot-starter-data-search-jpa (=1.3.0), be.personify.iam:personify-api (>=1.3.2.RELEASE <=1.4.4.RELEASE) +42 more potentially affected by CVE-2022-31679 via org.springframework.data:spring-data-rest-core (>=3.6.0 <=3.6.6)

org.springframework.data:spring-data-rest-core MAVEN version =3.6.0, =1.3.2.RELEASE, =1.3.1.RELEASE, =1.3.1.RELEASE, =1.2.6.RELEASE, =0.3.0, =0.3.0, =0.3.0, =1.2.7, =1.2.7, =1.2.7, =3.0.0, =3.0.0, =3.0.0, =3.0.2 and more Source cves: CVE-2022-31679 Source advisory: OSV:GHSA-FV7X-V67W-CVQV...

GHSA-FV7X-V67W-CVQV Spring Data REST can expose hidden entity attributes

Applications that allow HTTP PATCH access to resources exposed by Spring Data REST in versions 3.6.0 - 3.6.6, 3.7.0 - 3.7.2, and older unsupported versions, if an attacker knows about the structure of the underlying domain model, they can craft HTTP requests that expose hidden entity attributes...