6 results (0.006 seconds)

CVSS: 3.7EPSS: 0%CPEs: 5EXPL: 0

A vulnerability in VMware Tanzu Spring LDAP allows data exposure for case sensitive comparisons.This issue affects Spring LDAP: from 2.4.0 through 2.4.3, from 3.0.0 through 3.0.9, from 3.1.0 through 3.1.7, from 3.2.0 through 3.2.7, AND all versions prior to 2.4.0. The usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in unintended columns from being queried Related to CVE-2024-38820 https://spring.io/security/cve-2024-38820 Una vulnerabilidad en VMware Tanzu Spring LDAP permite la exposición de datos para comparaciones que distinguen entre mayúsculas y minúsculas. Este problema afecta a Spring LDAP: de 2.4.0 a 2.4.3, de 3.0.0 a 3.0.9, de 3.1.0 a 3.1.7, de 3.2.0 a 3.2.7, Y todas las versiones anteriores a 2.4.0. El uso de String.toLowerCase() y String.toUpperCase() tiene algunas excepciones dependientes de la configuración regional que podrían provocar que se consulten columnas no deseadas. Relacionado con CVE-2024-38820 https://spring.io/security/cve-2024-38820 A vulnerability in Spring LDAP allows data exposure for case sensitive comparisons.This issue affects Spring LDAP: from 2.4.0 through 2.4.3, from 3.0.0 through 3.0.9, from 3.1.0 through 3.1.7, from 3.2.0 through 3.2.7, AND all versions prior to 2.4.0. The usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in unintended columns from being queried Related to CVE-2024-38820 https://spring.io/security/cve-2024-38820 • https://spring.io/security/cve-2024-38829 • CWE-178: Improper Handling of Case Sensitivity •

CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0

spring-boot-actuator-logview 0.2.13 allows Directory Traversal to sibling directories via LogViewEndpoint.view. • https://github.com/lukashinsch/spring-boot-actuator-logview/issues/33 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1

A stored cross-site scripting (XSS) vulnerability via ResourceController.java in spring-boot-admin as of 20190710 allows attackers to execute arbitrary web scripts or HTML. Una vulnerabilidad de tipo cross-site scripting (XSS) almacenado por medio del archivo ResourceController.java en el parámetro spring-boot-admin a partir de 20190710, permite a atacantes ejecutar scripts web o HTML arbitrarios. • https://github.com/sail-y/spring-boot-admin/issues/7 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 7.7EPSS: 94%CPEs: 1EXPL: 2

spring-boot-actuator-logview in a library that adds a simple logfile viewer as spring boot actuator endpoint. It is maven package "eu.hinsch:spring-boot-actuator-logview". In spring-boot-actuator-logview before version 0.2.13 there is a directory traversal vulnerability. The nature of this library is to expose a log file directory via admin (spring boot actuator) HTTP endpoints. Both the filename to view and a base folder (relative to the logging folder root) can be specified via request parameters. • https://github.com/xiaojiangxl/CVE-2021-21234 https://github.com/PwCNO-CTO/CVE-2021-21234 https://github.com/lukashinsch/spring-boot-actuator-logview/commit/1c76e1ec3588c9f39e1a94bf27b5ff56eb8b17d6 https://github.com/lukashinsch/spring-boot-actuator-logview/commit/760acbb939a8d1f7d1a7dfcd51ca848eea04e772 https://github.com/lukashinsch/spring-boot-actuator-logview/security/advisories/GHSA-p4q6-qxjx-8jgp https://search.maven.org/artifact/eu.hinsch/spring-boot-actuator-logview • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0

Cross-site request forgery (CSRF) vulnerability in the Spring Batch Admin before 1.3.0 allows remote attackers to hijack the authentication of unspecified victims and submit arbitrary requests, such as exploiting the file upload vulnerability. Una vulnerabilidad de tipo Cross-Site Request Forgery (CSRF) en Spring Batch Admin en versiones anteriores a la 1.3.0 permite a los atacantes remotos interceptar la autenticación de víctimas sin especificar y enviar peticiones arbitrarias como la explotación de la vulnerabilidad de subida de archivos. • http://www.openwall.com/lists/oss-security/2017/08/16/5 http://www.securityfocus.com/bid/100410 • CWE-352: Cross-Site Request Forgery (CSRF) •