com.github.paulcwarren:content-rest-spring-boot-starter (>=0.5.0 <=0.6.0), com.github.paulcwarren:spring-content-rest (>=0.5.0 <=0.6.0) +8 more potentially affected by CVE-2017-8046 via org.springframework.data:spring-data-rest-core (>=3.0.0.RELEASE <=3.0.14.RELEASE)

org.springframework.data:spring-data-rest-core MAVEN version =3.0.0.RELEASE, =0.5.0, =0.5.0, =0.5.0, =0.0.1-RELEASE, =1.0.7, =2.0.5.RELEASE, =3.0.0.RELEASE, =3.0.0.RELEASE, =3.0.14.RELEASE Source cves: CVE-2017-8046 Source advisory: OSV:GHSA-9QF9-28H9-HQCJ...

Remote code execution in PATCH requests in Spring Data REST

Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 Ingalls SR9, versions prior to 3.0.1 Kay SR1 can use specially crafted JSON data to run arbitrary Java code...

GHSA-9QF9-28H9-HQCJ Remote code execution in PATCH requests in Spring Data REST

Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 Ingalls SR9, versions prior to 3.0.1 Kay SR1 can use specially crafted JSON data to run arbitrary Java code...

Spring Data Commons < 1.13.11 / 2.x < 2.0.6 RCE

The version of Spring Data Commons installed on the remote host is affected by a remote code execution vulnerability. Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions, contain a property binder vulnerability caused by improper neutralization of...

This Week in Spring - May 3rd, 2022

Hi, Spring fans! Welcome to another installment of This Week in Spring! How are you doin? Im excited! This week Im speaking at the ArabJUG, and Ill be speaking at Microsofts huuuge JDConf event. Both of these are virtual. Then, next Monday, Im on a plane bound for London, UK, where Ill be speakin...

Ever wanted to rewrite a query in Spring Data JPA?

Sometimes, no matter how many features you try to apply, it seems impossible to get Spring Data JPA to apply every thing youd like to a query before it is sent to the EntityManager. With 3.0.0-SNAPSHOT and targeted for the next milestone release train of Spring Data, you now have the ability to g...

This Week in Spring - April 19th, 2022

Hi, Spring fans! Welcome to another installment of This Week in Spring! Its been quite the week since we last talked! I flew to Atlanta, GA, for my first in-person show since the pandemic - Devnexus 2022. I loved the experience! Hopefully, the only souvenirs Ill have are the amazing memories and...

VMware Tanzu Spring Data Commons Property Binder Vulnerability

Spring Data Commons contains a property binder vulnerability which can allow an attacker to perform remote code execution...

CVE-2021-22047

In Spring Data REST versions 3.4.0 - 3.4.13, 3.5.0 - 3.5.5, and older unsupported versions, HTTP resources implemented by custom controllers using a configured base API path and a controller type-level request mapping are additionally exposed under URIs that can potentially be exposed for...

CVE-2021-22047

In Spring Data REST versions 3.4.0 - 3.4.13, 3.5.0 - 3.5.5, and older unsupported versions, HTTP resources implemented by custom controllers using a configured base API path and a controller type-level request mapping are additionally exposed under URIs that can potentially be exposed for...

Design/Logic Flaw

In Spring Data REST versions 3.4.0 - 3.4.13, 3.5.0 - 3.5.5, and older unsupported versions, HTTP resources implemented by custom controllers using a configured base API path and a controller type-level request mapping are additionally exposed under URIs that can potentially be exposed for...

CVE-2021-22047

CVE-2021-22047 affects Spring Data REST: HTTP resources implemented by custom controllers using a configured base API path and a controller type-level request mapping are exposed under URIs that may be accessible without authorization, depending on Spring Security configuration.impact is describe...

CVE-2021-22047

In Spring Data REST versions 3.4.0 - 3.4.13, 3.5.0 - 3.5.5, and older unsupported versions, HTTP resources implemented by custom controllers using a configured base API path and a controller type-level request mapping are additionally exposed under URIs that can potentially be exposed for...

VMware Spring Security 安全漏洞

VMware Spring Security is a set of security frameworks from VMware that provide illustrative security protections for Spring-based applications. A security vulnerability exists in Spring Data REST that stems from the additional disclosure of HTTP resources under the uri for custom controller...

Potential Security Bypass for customized Spring Data REST Resource

In Spring Data REST versions 3.4.0 - 3.4.13, 3.5.0 - 3.5.5, and older unsupported versions, HTTP resources implemented by custom controllers using a configured base API path and a controller type-level request mapping are additionally exposed under URIs that can potentially be exposed for...

Exploit for Code Injection in Pivotal_Software Spring_Data_Commons

Based on the provided code and metadata, here is a description of the repository and its contents: Repository: This repository appears to be a Maven wrapper for the Apache Maven project, specifically version 3.5.3. The repository contains metadata and configuration files for the Maven wrapper,...

Exploit for Code Injection in Pivotal_Software Spring_Data_Commons

Zhengjim - 漏洞复现 搭漏洞环境是一个繁琐的事情，这里记录下自己学习搭各种环境的记录。部分利用Vulhub一个面向大众的开源漏洞靶场，来搭建漏洞环境，比较方便。（主要懒！） 漏洞 1. S2-057命令执行漏洞 2. ghostscript命令执行漏洞 3. weblogic反序列化漏洞CVE-2018-2628 4. Elasticsearch-Kibana本地包含漏洞CVE-2018-17246 5. ThinkPHP5.x版本命令执行漏洞 6. WordPressRESTAPI内容注入漏洞 7. Git漏洞允许任意代码执行CVE-2018-17456 8. Apache...

Important: Red Hat Security Advisory: Red Hat Fuse 7.7.0 release and security update

A minor version update from 7.6 to 7.7 is now available for Red Hat Fuse. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring...

spring-data-jpa: Additional information exposure with Spring Data JPA derived queries

This affects Spring Data JPA in versions up to and including 2.1.5, 2.0.13 and 1.11.19. Derived queries using any of the predicates ‘startingWith’, ‘endingWith’ or ‘containing’ could return more results than anticipated when a maliciously crafted query parameter value is supplied. Also, LIKE...

Important: Red Hat Security Advisory: Red Hat Fuse 7.6.0 security update

A minor version update from 7.5 to 7.6 is now available for Red Hat Fuse. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring...