java-security
Safeguard articles tagged "java-security" — guides, analysis, and best practices for software supply chain and application security.
83 articles
Insecure deserialization attack
A precise breakdown of what is an insecure deserialization attack, how object injection and gadget chains work in Java and Python, and how to defend against them.
Securing Spring Security OAuth2 and JOSE Dependencies
spring-security-oauth2-jose sits at the center of many Java auth stacks, but the legacy project is deprecated and its JOSE/JWT dependencies carry their own patch history; here is how to assess and reduce the risk.
Java Security Explained
Java security failures like Log4Shell exposed 3 billion devices — here's why Java's dependency depth makes it uniquely risky, and how to fix it fast.
Log4Shell (Log4j Vulnerability) Explained
A deep dive into Log4Shell (CVE-2021-44228): how the critical Log4j2 RCE flaw worked, its timeline, affected versions, and how to remediate it.
What is Spring4Shell
Spring4Shell (CVE-2022-22965) let attackers gain unauthenticated RCE on Java apps via Spring data binding. Here's the full breakdown and fix.
What is Maven Security
Maven security covers vulnerable dependencies, malicious plugins, and build-time risks in Java projects -- from Log4Shell to transitive dependency sprawl.
Maven Central dependency confusion and namespace collisio...
How Maven's groupId system and multi-repo resolution let attackers slip malicious packages into Java builds — and how to close the internal vs public repo gap.
Maven and Gradle dependency supply chain attacks in the J...
How attackers exploit Maven Central and the Gradle Plugin Portal — dependency confusion, malicious artifacts, and plugin takeovers — and how to defend Java builds.
Spring4Shell (CVE-2022-22965): root cause and remote code...
Spring4Shell (CVE-2022-22965) let attackers manipulate Java class loaders via Spring data binding to achieve RCE on Tomcat-deployed apps. Root cause, timeline, and fixes.
Spring Security misconfigurations and default credential ...
Default credentials, exposed Actuator endpoints, and missed filter rules: how spring security misconfiguration quietly exposes Java apps to breach.
Spring4Shell RCE in Spring Framework (CVE-2022-22965)
A deep dive into CVE-2022-22965 (Spring4Shell): the critical Spring Framework RCE, its exploitation chain, timeline, and how to remediate it fast.
Log4j second RCE bypass (CVE-2021-45046)
The Log4j 2.15.0 patch for Log4Shell was incomplete. CVE-2021-45046 shows how attackers bypassed it to achieve remote code execution.