Newest Post

CVE-2022-22976: BCrypt skips salt rounds for work factor of 31

Read more

CVE-2022-22975: Authorization Bypass in RegexRequestMatcher



Spring by VMware


In Spring Security versions 5.5.6 and 5.5.7 and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers.

Applications using RegexRequestMatcher with . in the regular expression are possibly vulnerable to an authorization bypass.

Affected VMware Products and Versions

Applications using RegexRequestMatcher with a regular expression that contains . are likely vulnerable to an authorization bypass for versions:

  • Spring Security 5.5.x prior to 5.5.7

  • Spring Security 5.6.x prior to 5.6.4

  • Earlier unsupported versions

Read more

Spring Data 2021.2 and 2022.0 M4 released.

On behalf of the Data Team and everyone who contributed, I’m pleased to announce the GA release of the 2021.2 release train as well as the 4th Milestone of the 2022.0 one.

Already working on the 2022.0 train, based on Spring Framework 6, Java17 and Jakarta EE 9, the 2021.2 release ships bug fixes and selected back ported features.

Other than dependency upgrades, these are some of the major changes:

  • Infrastructure to introspect a projection type.
  • Common infrastructure for property-specific value converters.
  • Improved support for IdClass handling in data-jpa.
  • Declarative Update methods in data-mongodb.
  • Reindexing support in data-elasticsearch.
  • Direct projections for data-cassandra.
  • ACL support for Redis Sentinels.
  • Lock and Null precedence support for JDBC.
  • Query Rewriter for JPA.
Read more

Spring Framework 5.3.20 and 5.2.22 available now

On behalf of the team and everyone who has contributed, I am pleased to announce that Spring Framework 5.3.20 and 5.2.22 are available now.

Spring Framework 5.3.20 includes 14 fixes and improvements.
Spring Framework 5.2.22 includes 2 backports.

In addition, these releases include fixes for 2 vulnerabilities:

  • CVE-2022-22970
    “Spring Framework DoS via Data Binding to MultipartFile or Servlet Part”
    Denial of Service (DoS) attack in Spring MVC or Spring WebFlux applications that handle file uploads and rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.
    Severity: Medium

  • CVE-2022-22971
    “Spring Framework DoS with STOMP over WebSocket”
    Denial of service (DoS) attack by authenticated users in Spring applications with a STOMP over WebSocket endpoint.
    Severity: Medium

Read more

This Week in Spring - May 10th, 2022

Hi, Spring fans! I’m writing this from - I can’t believe I get to say this - abroad! I’m in London, UK! Now, this is not particularly noteworthy for those millions who already live here. But I don’t live here. I’m a visitor! I live in San Francisco. I had to fly here! On a plane! With other people! ACROSS THE OCEAN. This is my first international flight since March of 2020, and I couldn’t be more excited to be here for Devoxx UK and also just to catch up with old friends I haven’t seen in nearly three years. If you know me, and how I used to travel, you’ll appreciate how odd it is for me to be this excited to have crossed a border. It’s been sooo long! I’ve missed the process. I’ve missed seeing people. I’ve missed all of it.

Read more

This Week in Spring - May 3rd, 2022

Hi, Spring fans! Welcome to another installment of This Week in Spring! How are you doin’?

I’m excited! This week I’m speaking at the ArabJUG, and I’ll be speaking at Microsoft’s huuuge JDConf event. Both of these are virtual. Then, next Monday, I’m on a plane bound for London, UK, where I’ll be speaking at Devoxx UK 2022. Then, not even two weeks later, I’ll be speaking at Spring IO, in Barcelona, Spain! Then a week later, I’ll be speaking at JNation, in Lisbon, Portugal. To say that I am excited would be an understatement, my friends.

Read more