PT-2023-2259 · Spring +1 · Spring Mvc +3

Name of the Vulnerable Software and Affected Versions: Spring Framework versions 5.3.0 through 5.3.25 Spring Framework versions 6.0.0 through 6.0.6 Description: The issue is related to a mismatch in pattern matching between Spring Security and Spring MVC when using "" as a pattern in Spring...

Kotlin DSLs in the world of Springdom

Kotlin is a beautiful language that makes it trivial to take old Java libraries and make them much more concise, just by virtue of the Kotlin syntax itself. It shines, however, when you write DSLs. Here's some inside baseball for you: the Spring teams do their level-headed best to be cohesive, to...

A Bootiful Podcast: Google Cloud Java Advocate Aaron Wanjala

Hi, Spring fans! In this installment, Josh Long @starbuxman talks to Google Cloud Java advocate Aaron Wanjala @ AaronMDubya about Spring Framework for Google Cloud...

Atlassian Jira < 9.6.0 Multiple Vulnerabilities

According to its self-reported version number, the instance of Atlassian Jira hosted on the remote web server is prior to 9.6.0. It is, therefore, affected by multiple vulnerabilities: - A issue in the underlying Spring framework which permits a authenticated attacker to perform a STOMP over...

Security Bulletin: IBM Cognos Command Center is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965)

Summary IBM Cognos Command Center is affected but not classified as vulnerable to a remote code execution in Spring Framework CVE-2022-22965 as it does not meet all of the following criteria: 1. JDK 9 or higher, 2. Apache Tomcat as the Servlet container, 3. Packaged as WAR in contrast to a Spring...

K29042031: Multiple Spring Framework vulnerabilities

Security Advisory Description On April 5th, 2018, three new vulnerabilities were published in the popular Java web framework called Spring. Details on these vulnerabilities and exploit code are not yet available, and mitigation details may change if and when the exploit code is available. You can...

K11510688: Spring Framework (Spring4Shell) and Spring Cloud vulnerabilities CVE-2022-22965, CVE-2022-22950, and CVE-2022-22963

Security Advisory Description Spring Framework RCE Spring4Shell: CVE-2022-22965 A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution RCE via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the...

K18193959: Spring Framework vulnerability CVE-2018-1258

Security Advisory Description Spring Security in combination with Spring Framework versions prior to 5.0.6 contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted. CVE-2018-1258 Impact Traffix SD...

K31022653: Spring Framework vulnerability CVE-2018-1257

Security Advisory Description Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user or...

SUSE CVE-2016-9878

An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks...

SUSE CVE-2018-1270

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user or attacker can craft a message to...

SUSE CVE-2018-15756

Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controlle...

SUSE CVE-2022-22968

In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the fiel...

ureport v2.2.9 代码问题漏洞

UReport is a high-performance pure Java reporting engine based on the Spring architecture that prepares complex Chinese reports and statements by iterating over cell. A security vulnerability exists in ureport version v2.2.9. An attacker exploits the vulnerability to execute arbitrary code by...

Security Bulletin: IBM Sterling B2B Integrator is vulnerable to denial of service due to Spring Framework (CVE-2022-22970)

Summary IBM Sterling B2B Integrator has addressed the denial of service security vulnerability in Spring Framework shipped with the product. Vulnerability Details CVEID:CVE-2022-22970 DESCRIPTION: Vmware Tanzu Spring Framework is vulnerable to a denial of service, caused by a flaw in the handling...

Security Bulletin: Vulnerabilities have been identified in Spring Framework, OpenSSL and Apache HTTP Server shipped with the DS8000 Hardware Management Console (HMC)

Summary The updates indicated below have been released to address the following vulnerabilities: Spring Framework CVE-2022-22965, OpenSSL vulnerabilities CVE-2022-0778, Apache HTTP Server CVE-2021-26691, CVE-2021-40438, CVE-2021-44790, and CVE-2021-20325. Vulnerability Details CVEID:CVE-2022-0778...

Jira Server/DC impacted by CVE-2022-22970 & CVE-2022-22971 via vulnerable version of Spring framework

Jira is not impacted no action is required as the vulnerability +cannot be exploited+. All Jira versions below 9.6 uses an affected version of Spring Framework, reason why the JRASERVER-74776 was published, however Jira +does not use the affected methods from the Spring+, hence +is not impacted+:...

Security Bulletin: Vulnerability in Spring Framework affects IBM Process Mining and could allow a local attacker to execute arbitrary code on the system (CVE-2022-22965)

Summary There is a vulnerability in Spring Framework that could allow a local attacker to execute arbitrary code on the system. The code is used by IBM Process Mining. This bulletin identifies the security fixes to apply to address the vulnerability. The product is in an affected but not vulnerab...

Security Bulletin: Vulnerabilities in Spring Framework affects IBM Common Licensing's Administration And Reporting Tool (ART) and its Agent (CVE-2022-22978, 220811)

Summary Security Vulnerablities have been addressed in IBM Common Licensing. In Spring Security versions 5.5.6 and 5.6.3 and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. A fix is available to address the vulnerability...

Oracle MySQL Enterprise Monitor (Jan 2023 CPU)

The versions of MySQL Enterprise Monitor installed on the remote host are affected by multiple vulnerabilities as referenced in the January 2023 CPU advisory. - Vulnerability in the MySQL Enterprise Monitor product of Oracle MySQL component: Monitoring: General Spring Security. Supported versions...