CVE-2022-31679

Applications that allow HTTP PATCH access to resources exposed by Spring Data REST in versions 3.6.0 - 3.5.5, 3.7.0 - 3.7.2, and older unsupported versions, if an attacker knows about the structure of the underlying domain model, they can craft HTTP requests that expose hidden entity attributes...

CVE-2022-31679

Applications that allow HTTP PATCH access to resources exposed by Spring Data REST in versions 3.6.0 - 3.5.5, 3.7.0 - 3.7.2, and older unsupported versions, if an attacker knows about the structure of the underlying domain model, they can craft HTTP requests that expose hidden entity attributes...

Code injection

Applications that allow HTTP PATCH access to resources exposed by Spring Data REST in versions 3.6.0 - 3.5.5, 3.7.0 - 3.7.2, and older unsupported versions, if an attacker knows about the structure of the underlying domain model, they can craft HTTP requests that expose hidden entity attributes...

CVE-2022-31679

Applications that allow HTTP PATCH access to resources exposed by Spring Data REST in versions 3.6.0 - 3.5.5, 3.7.0 - 3.7.2, and older unsupported versions, if an attacker knows about the structure of the underlying domain model, they can craft HTTP requests that expose hidden entity attributes...

CVE-2022-31679

Applications that allow HTTP PATCH access to resources exposed by Spring Data REST in versions 3.6.0 - 3.5.5, 3.7.0 - 3.7.2, and older unsupported versions, if an attacker knows about the structure of the underlying domain model, they can craft HTTP requests that expose hidden entity attributes...

CVE-2022-31679

CVE-2022-31679 affects VMware Spring Data REST. The issue allows an attacker who knows the domain model to craft HTTP PATCH requests that expose hidden entity attributes. Affected versions include Spring Data REST 3.5.5 and older, 3.6.0–3.6.6, and 3.7.0–3.7.2. The central root cause is improper h...

PT-2022-20886 · Spring · Spring Data Rest

Name of the Vulnerable Software and Affected Versions: Spring Data REST versions 3.5.5 and earlier Spring Data REST versions 3.6.0 through 3.6.6 Spring Data REST versions 3.7.0 through 3.7.2 Description: The issue allows attackers to expose hidden entity attributes by crafting HTTP requests, if...

VMware Spring Data REST 安全漏洞

VMware Spring Data REST is a data interface from VMware, Inc. It is used to build on top of the Spring Data repository, analyze an application's domain model, and expose hypermedia-driven HTTP resources for aggregations contained in the model. A security vulnerability exists in VMware Spring Data...

Spring Data REST Vulnerability (CVE-2022-31679)

Updates - 09-19 Vulnerability announced here and Spring Data REST 3.6.7 and 3.7.3 released - 09-19 Blog post updated to refer to the CVE report published The Spring Data 2021.1.7 and 2021.2.3 releases shipped on September 19th contained releases for Spring Data REST 3.6.7 and 3.7.3 which include...

Potential Unintended Data Exposure for Resource Exposed by Spring Data REST

Applications that allow HTTP PATCH access to resources exposed by Spring Data REST in versions 3.6.0 - 3.6.5, 3.7.0 - 3.7.2, and older unsupported versions, if an attacker knows about the structure of the underlying domain model, they can craft HTTP requests that expose hidden entity attributes...

This Week in Spring - September 5th, 2022

Hi, Spring fans! How are you? Its a fantastic Tuesday, the 5th of September, 2022, and I couldnt be happier. Its also Labor Day weekend here in the US. It marks the unofficial end of summer, which is a bit sad. But, on the upside, its a four-day weekend for me! Im technically off today. So, youll...

How to integrate Hibernates Multitenant feature with Spring Data JPA in a Spring Boot application

For quite some time now, Hibernate has offered a Multitenant feature. It integrates nicely with Spring, but there is not much information about how to actually set it up, so I thought an example or two or three could help. There is already an excellent blog article, but it is a little dated and i...

This Week in Spring - July 26th, 2022

Aloha, Spring fans! Im on vacation, reporting to you from the paradise-like island of Maui, Hawaii, and hoping that youre having a wonderful day! My family and I love Hawaii. Its brimming with beauty and serenity, and while the island of Maui, in the state of Hawaii, is very small, the islands ar...

CVE-2022-22980

A flaw was found in the Spring Data MongoDB. This flaw allows an attacker to perform code injection when an application uses some annotations/query methods with Spring Expression Language SpEL expressions...

Spring Tips: Learn Spring for GraphQL (the last two episodes: parts 7 and 8)

Hi, Spring fans! In thi^^^ these installments, we continue our series introducing the Spring for GraphQL project. This series features Spring for GraphQL lead Rossen Stoyanchev @rstoya05 - whose work you may know from basically everything in the wide and wonderful world of Springdom having to do...

SpEL Injection in Spring Data MongoDB

A Spring Data MongoDB application is vulnerable to SpEL Injection when using @Query or @Aggregation-annotated query methods with SpEL expressions that contain query parameter placeholders for value binding if the input is not sanitized...

cn.airfei.air-core:core (=3.0.0), com.alpactech:mt-mongo (=1.0.0) +40 more potentially affected by CVE-2022-22980 via org.springframework.data:spring-data-mongodb (=3.4.0)

org.springframework.data:spring-data-mongodb MAVEN version =3.4.0 is affected by a known vulnerability. The following packages have a transitive dependency on org.springframework.data:spring-data-mongodb and may be impacted: - cn.airfei.air-core:core =3.0.0 - com.alpactech:mt-mongo =1.0.0 -...

ai.platon.commons:distributed-lock-example (>=1.4.2 <=1.4.3), ai.platon.commons:distributed-lock-mongo (>=1.4.2 <=1.4.3) +1242 more potentially affected by CVE-2022-22980 via org.springframework.data:spring-data-mongodb (>=1.0.0.RELEASE <=3.3.4)

org.springframework.data:spring-data-mongodb MAVEN version =1.0.0.RELEASE, =1.4.2, =1.4.2, =1.6.6, =1.6.6, =0.0.1, =0.0.1, =0.9.1, =0.1.0, =0.1.0, =3.0.0.RELEASE, =1.1.13, =2.0.2 and more Source cves: CVE-2022-22980 Source advisory: OSV:GHSA-W24X-87MR-4R23...

GHSA-W24X-87MR-4R23 SpEL Injection in Spring Data MongoDB

A Spring Data MongoDB application is vulnerable to SpEL Injection when using @Query or @Aggregation-annotated query methods with SpEL expressions that contain query parameter placeholders for value binding if the input is not sanitized...

CVE-2022-22980

A Spring Data MongoDB application is vulnerable to SpEL Injection when using @Query or @Aggregation-annotated query methods with SpEL expressions that contain query parameter placeholders for value binding if the input is not sanitized...