java-security
Safeguard articles tagged "java-security" — guides, analysis, and best practices for software supply chain and application security.
83 articles
Jackson-databind Polymorphic Deserialization Gadget (CVE-2019-12384) Explained
CVE-2019-12384 chained a logback gadget with H2's RUNSCRIPT to turn default typing into code execution. Here's the mechanism, the classpath caveat, and how to fix it for good.
10 Java security best practices
10 Java security best practices security teams should enforce across dependency management, deserialization, injection, secrets, and build pipelines.
10 Spring Boot security best practices
Ten concrete Spring Boot security practices, with real CVEs, config flags, and file paths, to close the gaps attackers actually exploit.
A guide to input validation with Spring Boot
Spring Boot doesn't validate input by default. Here's how Bean Validation actually works, where teams get it wrong, and how missing validation leads to injection and mass assignment.
Fixing vulnerabilities in Maven projects
Maven vulnerability remediation isn't just running mvn versions:use-latest — here's how to triage, patch, and verify fixes without breaking builds.
Fixing vulnerabilities in Gradle projects
Gradle's resolved dependency graph rarely matches build.gradle. Here's how to find, force-fix, and lock vulnerable transitive dependencies for good.
Spring4Shell RCE vulnerability explained CVE-2022-22965
CVE-2022-22965 (Spring4Shell) lets attackers achieve unauthenticated RCE on Spring MVC/Tomcat apps. Here's the CVSS/EPSS/KEV data, timeline, and fixes.
Text4Shell RCE in Apache Commons Text CVE-2022-42889
CVE-2022-42889 (Text4Shell) is a 9.8-severity RCE in Apache Commons Text 1.5-1.9. Learn affected versions, timeline, and remediation steps.
Log4Shell remediation cheat sheet
A practical, no-fluff Log4Shell remediation cheat sheet: affected versions, CVSS/EPSS/KEV context, timeline, and the exact steps to close CVE-2021-44228.
Unsafe deserialization in SnakeYAML CVE-2022-1471
CVE-2022-1471 lets attackers achieve RCE via SnakeYAML's unsafe Constructor. Learn affected versions, CVSS/EPSS context, and remediation steps.
How to prevent log injection vulnerabilities in Java
Log injection let attackers turn Log4j logging calls into remote code execution in 2021. Here's how CWE-117 works in Java and how to stop it.
162 vulnerabilities disclosed in Java's top 10 libraries
Safeguard's H1 2026 analysis found 162 CVEs across Java's ten most-downloaded libraries, with critical RCE risk concentrated in Tomcat and Spring.