[Full-disclosure] CVE-2014-0054 Spring MVC Incomplete fix for CVE-2013-4152 / CVE-2013-6429 (XXE)

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2014-0054 Incomplete fix for CVE-2013-4152 / CVE-2013-6429 (XXE) Severity: Important Vendor: Spring by Pivotal Versions Affected: - - Spring MVC 3.0.0 to 3.2.8 - - Spring MVC 4.0.0 to 4.0.1 - - Earlier unsupported versions may be affected

[Full-disclosure] CVE-2014-0097 Spring Security Blank password may bypass user authentication

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2014-0097 Blank password may bypass user authentication Severity: Important Vendor: Spring by Pivotal Versions Affected: - - Spring Security 3.2.0 to 3.2.1 - - Spring Security 3.1.0 to 3.1.5 Description: The ActiveDirectoryLdapAuthenticator

[Full-disclosure] CVE-2014-1904 XSS when using Spring MVC

to 3.2.8 or later - - Users of 4.x should upgrade to 4.0.2 or later Credit: This issue was discovered and reported responsibly to the Pivotal security team by Paul Wowk of CAaNES LLC. References: https://jira.springsource.org/browse/SPR-11426 https://github.com/spring-projects/spring-framework/commit

[Full-disclosure] Update: CVE-2014-0053 Information Disclosure when using Grails

responsible reporting of security vulnerabilities via secur...@gopivotal.com The /META-INF aspects of this issue were identified by numerous individuals and reported responsibly to either the Grails team or to the Pivotal Security team. The directory traversal aspects of this vulnerability were reported

[Full-disclosure] CVE-2014-0053 Information Disclosure when using Grails

CVE-2014-0053 Information Disclosure in Grails applications Severity: Important Vendor: Grails by Pivotal Versions Affected: - Grails 2.0.0 to 2.3.5 Description: The Grails resources plug-in, a default dependency of Grails since 2.0.0, does not block access to resources located under /WEB-INF

[Full-disclosure] CVE-2013-6429 Fix for XML External Entity (XXE) injection (CVE-2013-4152) in Spring Framework was incomplete

Severity: Important Vendor: Spring by Pivotal Versions Affected: - Spring MVC 3.0.0 to 3.2.4 - Spring MVC 4.0.0.M1-4.0.0.RC1 - Earlier unsupported versions may be affected Description: Spring MVC's SourceHttpMessageConverter also processed user provided XML and neither disabled XML external

[Full-disclosure] CVE-2013-6430 Possible XSS when using Spring MVC

: This issue was originally reported to the Spring Framework developers by Jon Passki and the security implications brough to the attention of the Pivotal security team by Arun Neelicattu. References: http://www.gopivotal.com/security/cve-2013-6430 https://jira.springsource.org/browse/SPR-9983 https

[Full-disclosure] CVE-2013-4152 XML External Entity (XXE) injection in Spring Framework

Severity: Important Vendor: Spring by Pivotal Versions Affected: - 3.0.0 to 3.2.3 (Spring OXM Spring MVC) - 4.0.0.M1 (Spring OXM) - 4.0.0.M1-4.0.0.M2 (Spring MVC) - Earlier unsupported versions may also be affected Description: The Spring OXM wrapper did not expose any property for disabling