924 matches found
This Week in Spring - March 29th, 2022
Aloha, Spring fans, from beautiful Maui, Hawaii, where I am with my family on a bit of vacation. Its our daughters Spring break and so were enjoying the family time while we can get it! I wanted to take a brief interlude in between the never-enough time on the beach and all the rum to get this...
Remote code execution in Spring Cloud Function by malicious Spring Expression
In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources...
An update on Java 17+ adoption
As a follow-up to my blog post from last years SpringOne, it is time for an update on our Java 17+ baseline efforts! We established the new baseline on our main branches, with a few milestones out already. The feedback has been very positive, not only in terms of framework improvements but also i...
CVE report published for Spring Framework
We have released Spring Framework 5.3.17 and Spring Framework 5.2.20 to address the following CVE report. CVE-2022-22950: Spring Expression DoS Vulnerability Please review the information in the CVE report and upgrade immediately. Spring Boot users should upgrade to 2.5.11 or 2.6.5...
Spring Expression DoS Vulnerability
In Spring Framework versions 5.3.0 - 5.3.16, 5.2.0 - 5.2.19, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition...
A Bootiful Podcast: Event streaming guru Jan Svoboda on Apache Kafka Design Patterns
Hi, Spring fans! In this installment Josh Long @starbuxman talks to event streaming guru at Confluent, the company behind Apache Kafka, Jan Svoboda about Apache Kafka design patterns. Kafka summit in London Europe end of April 2022 Kafka Summit London 2022 | April 25-26 | London, UK the Confluent...
Building Native Images with GraalVM and Spring Native on Apple's M1 Architecture
It finally happened! They did it! They did it just in time for me to get on the road and start building applications on the road with my shiny new laptop, too! JOY!! Oracle and the GraalVM team released GraalVM and the GraalVM native image capability for Apple M1! Ive been waiting for this day fo...
Spring Cloud Gateway HTTP2 Insecure TrustManager
Applications using Spring Cloud Gateway that are configured to enable HTTP2 and no key store or trusted certificates are set will be configured to use an insecure TrustManager. This makes the gateway able to connect to remote services with invalid or custom certificates...
Spring Cloud Gateway Code Injection Vulnerability
Applications using Spring Cloud Gateway are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. A remote attacker could make a maliciously crafted request that could allow arbitrary remote execution on the remote host...
Additional Log Injection in Spring Framework (follow-up to CVE-2021-22096)
In Spring Framework versions 5.3.0 - 5.3.13, 5.2.0 - 5.2.18, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries. This is a follow-up to CVE-2021-22096 that protects against additional types of input and in more...
Spring-AMQP Remote Denial of Service - Out of Memory Error with a Large Message Body
The Spring AMQP Message object, in its toString method, will create a new String object from the message body, regardless of its size. This can cause an OOM Error with a large message body...
Spring Cloud Netflix Hystrix Dashboard template resolution vulnerability
Applications using both spring-cloud-netflix-hystrix-dashboard and spring-boot-starter-thymeleaf expose a way to execute code submitted within the request URI path during the resolution of view templates. When a request is made at /hystrix/monitor;user-provided data , the path elements following...
Spring Cloud Gateway Request Vulnerability
Applications using Spring Cloud Gateway are vulnerable to specifically crafted requests that could make an extra request on downstream services...
Potential Security Bypass for customized Spring Data REST Resource
In Spring Data REST versions 3.4.0 - 3.4.13, 3.5.0 - 3.5.5, and older unsupported versions, HTTP resources implemented by custom controllers using a configured base API path and a controller type-level request mapping are additionally exposed under URIs that can potentially be exposed for...
Zip-slip mitigation bypass in Spring Integration Zip extension
spring-integration-zip , versions prior to 1.0.4, exposes an arbitrary file write vulnerability, that can be achieved using a specially crafted zip archive affects other archives as well, bzip2, tar, xz, war, cpio, 7z, that holds path traversal filenames. So when the filename gets concatenated to...
RFD Protection Bypass via jsessionid
In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter...
Hystrix Dashboard Proxy In spring-cloud-netflix-hystrix-dashboard
Spring Cloud Netflix, versions 2.2.x prior to 2.2.4, versions 2.1.x prior to 2.1.6, and older unsupported versions allow applications to use the Hystrix Dashboard proxy.stream endpoint to make requests to any server reachable by the server hosting the dashboard. A malicious user, or attacker, can...
Kryo Configuration Allows Code Execution with Unknown “Serialization Gadgets”
Spring Integration framework provides Kryo Codec implementations as an alternative for Java deserialization. When Kryo is configured with default options, all unregistered classes are resolved on demand. This leads to the "deserialization gadgets" exploit when provided data contains malicious cod...
Jackson Configuration Allows Code Execution with Unknown “Serialization Gadgets”
When configured to enable default typing, Jackson contained a deserialization vulnerability that could lead to arbitrary code execution. Jackson fixed this vulnerability by blacklisting known "deserialization gadgets". Spring Batch configures Jackson with global default typing enabled which means...
Directory Traversal with spring-cloud-config-server
Spring Cloud Config, versions 2.2.x prior to 2.2.3, versions 2.1.x prior to 2.1.9, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted UR...
Signature Wrapping Vulnerability with spring-security-saml2-service-provider
Spring Security versions 5.2.x prior to 5.2.4 and 5.3.x prior to 5.3.2 contain a signature wrapping vulnerability during SAML response validation. When using the spring-security-saml2-service-provider component, a malicious user can carefully modify an otherwise valid SAML response and append an...
Dictionary attack with Spring Security queryable text encryptor
Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has...
DoS Via Malformed URL with Reactor Netty HTTP Server
Reactor Netty HttpServer, versions 0.9.3 and 0.9.4, is exposed to a URISyntaxException that causes the connection to be closed prematurely instead of producing a 400 response...
Authentication Leak On Redirect With Reactor Netty HttpClient
Reactor Netty HttpClient, versions 0.9.x prior to 0.9.5, and versions 0.8.x prior to 0.8.16, may be used incorrectly, leading to a credentials leak during a redirect to a different domain. In order for this to happen, the HttpClient must have been explicitly configured to follow redirects...
Directory Traversal with spring-cloud-config-server
Spring Cloud Config, versions 2.2.x prior to 2.2.2, versions 2.1.x prior to 2.1.7, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted UR...
RFD Attack via “Content-Disposition” Header Sourced from Request Input by Spring MVC or Spring WebFlux Application
In Spring Framework, versions 5.2.x prior to 5.2.3, versions 5.1.x prior to 5.1.13, and versions 5.0.x prior to 5.0.16, an application is vulnerable to a reflected file download RFD attack when it sets a “Content-Disposition” header in the response where the filename attribute is derived from use...
CSRF Attack via CORS Preflight Requests with Spring MVC or Spring WebFlux
Spring Framework, versions 5.2.x prior to 5.2.3 are vulnerable to CSRF attacks through CORS preflight requests that target Spring MVC spring-webmvc module or Spring WebFlux spring-webflux module endpoints. Only non-authenticated endpoints are vulnerable because preflight requests should not inclu...
Reactor Netty Consumes a Vulnerable Version of Netty
Reactor Netty, versions 0.8.x prior to 0.8.13 and 0.9.x prior to 0.9.1, depends on vulnerable versions of netty versions prior to 4.1.42, which incorrectly handles whitespace before a colon in headers, leading to HTTP request smuggling attacks...
Reactor Netty authentication leak in redirects
Pivotal Reactor Netty, versions prior to 0.8.11, passes headers through redirects, including authorization ones. A remote unauthenticated malicious user may gain access to credentials for a different server than they have access to...
PlaintextPasswordEncoder authenticates encoded passwords that are null
Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user ...
Directory Traversal with spring-cloud-config-server
Spring Cloud Config, versions 2.1.x prior to 2.1.2, versions 2.0.x prior to 2.0.4, and versions 1.4.x prior to 1.4.6, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a...
Additional information exposure with Spring Data JPA derived queries
This affects Spring Data JPA in versions up to and including 2.1.5, 2.0.13 and 1.11.19. Derived queries using any of the predicates ‘startingWith’, ‘endingWith’ or ‘containing’ could return more results than anticipated when a maliciously crafted query parameter value is supplied. Also, LIKE...
Insecure Randomness When Using a SecureRandom Instance Constructed by Spring Security
Spring Security versions 4.2.x prior to 4.2.12, 5.0.x prior to 5.0.12, and 5.1.x prior to 5.1.5 contain an insecure randomness vulnerability when using SecureRandomFactoryBeansetSeed to configure a SecureRandom instance. In order to be impacted, an honest application must provide a seed and make...
Open Redirector in spring-security-oauth2
Spring Security OAuth, versions 2.3 prior to 2.3.5 , and 2.2 prior to 2.2.4 , and 2.1 prior to 2.1.4 , and 2.0 prior to 2.0.17 , and older unsupported versions could be susceptible to an open redirector attack that can leak an authorization code. A malicious user or attacker can craft a request t...
XML External Entity Injection (XXE)
Spring Web Services, versions 2.4.3, 3.0.4, and older unsupported versions of all three projects, were susceptible to XML External Entity Injection XXE when receiving XML data from untrusted sources...
XML External Entity Injection (XXE)
Spring Batch versions 3.0.9, 4.0.1, 4.1.0, and older unsupported versions, were susceptible to XML External Entity Injection XXE when receiving XML data from untrusted sources...
XML External Entity Injection (XXE)
Spring Integration spring-integration-xml and spring-integration-ws modules, versions 4.3.18, 5.0.10, 5.1.1, and older unsupported versions, were susceptible to XML External Entity Injection XXE when receiving XML data from untrusted sources...
Authorization Bypass During JWT Issuer Validation with spring-security
Spring Security versions 5.1.x prior to 5.1.2 contain an authorization bypass vulnerability during JWT issuer validation. In order to be impacted, the same private key for an honest issuer and a malicious user must be used when signing JWTs. In that case, a malicious user could fashion signed JWT...
Privilege Escalation in spring-security-oauth2
Spring Security OAuth, versions 2.3 prior to 2.3.4, and 2.2 prior to 2.2.3, and 2.1 prior to 2.1.3, and 2.0 prior to 2.0.16, and older unsupported versions could be susceptible to a privilege escalation under certain conditions. A malicious user or attacker can craft a request to the approval...
DoS Attack via Range Requests
Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler , or starting in 5.0 when an annotated controll...
Cross Site Tracing (XST) with Spring Framework
Spring Framework versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions allow web applications to change the HTTP request method to any HTTP method including TRACE using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS...
JSONP enabled by default in MappingJackson2JsonView
Spring Framework, versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions, allows web applications to enable cross-domain requests via JSONP JSON with Padding through AbstractJsonpResponseBodyAdvice for REST controllers, and MappingJackson2JsonView for browse...
Unsafe Unzip with spring-integration-zip
spring-integration-zip , versions prior to 1.0.2, exposes an arbitrary file write vulnerability, that can be achieved using a specially crafted zip archive affects other archives as well, bzip2, tar, xz, war, cpio, 7z, that holds path traversal filenames. So when the filename gets concatenated to...
Unauthorized Access with Spring Security Method Security
Spring Security in combination with Spring Framework 5.0.5.RELEASE contain an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted...
Remote Code Execution with spring-security-oauth2
Spring Security OAuth, versions 2.3 prior to 2.3.3 and 2.2 prior to 2.2.2 and 2.1 prior to 2.1.2 and 2.0 prior to 2.0.15 and older unsupported versions, contains a remote code execution vulnerability. A malicious user or attacker can craft an authorization request to the authorization endpoint th...
Unsafe Unzip with spring-integration-zip
spring-integration-zip , versions prior to 1.0.1, exposes an arbitrary file write vulnerability, that can be achieved using a specially crafted zip archive affects other archives as well, bzip2, tar, xz, war, cpio, 7z, that holds path traversal filenames. So when the filename gets concatenated to...
Issuer validation regression in Spring Cloud SSO Connector
Spring Cloud SSO Connector, version 2.1.2, contains a regression which disables issuer validation in resource servers that are not bound to the SSO service. In PCF deployments with multiple SSO service plans, a remote attacker can authenticate to unbound resource servers which use this version of...
Remote Code Execution with spring-messaging
Spring Framework, versions 5.0.x prior to 5.0.5 and versions 4.3.x prior to 4.3.16, and older unsupported versions allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user or attacker can craft a messag...
Directory Traversal with Spring MVC on Windows
Spring Framework versions 5.0 to 5.0.4, 4.3 to 4.3.14, and older unsupported versions allow applications to configure Spring MVC to serve static resources e.g. CSS, JS, images. When static resources are served from a file system on Windows as opposed to the classpath, or the ServletContext, a...
Stored XSS in file upload of Spring Batch Admin
Cross-site scripting XSS vulnerability in the file upload feature of Spring Batch Admin allows a remote attacker to inject arbitrary web script or HTML via a crafted request related to the file upload functionality...