java-security
Safeguard articles tagged "java-security" — guides, analysis, and best practices for software supply chain and application security.
83 articles
Struts2 OGNL injection RCE (CVE-2018-11776)
CVE-2018-11776 lets remote attackers achieve full RCE in Apache Struts2 via OGNL injection in URL namespaces. Impact, timeline, and fixes inside.
Log4j JDBC Appender RCE (CVE-2021-44832)
CVE-2021-44832 lets attackers with logging-config write access achieve RCE via Log4j2's JDBC Appender — and Log4Shell fixes alone don't stop it.
Text4Shell Apache Commons Text RCE (CVE-2022-42889)
A deep dive into CVE-2022-42889 (Text4Shell): the Apache Commons Text RCE, its narrower real-world exploitability versus Log4Shell, and how to remediate it.
Alibaba fastjson deserialization RCE (CVE-2022-25845)
A critical AutoType-bypass RCE in Alibaba fastjson (CVSS 9.8, EPSS ~99th pct) hits any app parsing untrusted JSON. Here's how to detect and fix it.
Log4j SocketServer unsafe deserialization (CVE-2019-17571)
A deep dive into CVE-2019-17571, the Log4j 1.x SocketServer deserialization flaw enabling remote code execution, with remediation guidance.
Jackson-databind polymorphic deserialization RCE (CVE-2017-15095)
A critical jackson-databind deserialization vulnerability (CVE-2017-15095) lets unauthenticated attackers achieve RCE via HikariCP gadget classes.
Jackson-databind RCE via JDOM gadget (CVE-2020-36189)
CVE-2020-36189 lets attackers chain jackson-databind polymorphic deserialization with a JDOM gadget for RCE, SSRF, or XXE. Here's the mechanics and the fix.
dom4j XML external entity vulnerability (CVE-2018-1000632)
CVE-2018-1000632, the dom4j XXE vulnerability, let attackers inject and tamper with XML via unescaped addElement/addAttribute calls. Here's the fix.
Spring Cloud Function SpEL injection RCE (CVE-2022-22963)
CVE-2022-22963 lets attackers RCE unpatched Spring Cloud Function apps via one SpEL header. CVSS 9.8. Here's the fix, fast.
Jetty SSL buffer bloat denial of service (CVE-2021-28165)
CVE-2021-28165 lets attackers exhaust Jetty server memory via SSL buffer bloat, causing denial of service. Affected versions, timeline, and fixes inside.
Spring Security authorization rule bypass (CVE-2023-34035)
CVE-2023-34035 lets Spring Security's requestMatchers() silently mis-evaluate authorization rules in multi-servlet apps. Here's the fix and how to detect exposure.
Spring Security OAuth2 client vulnerability (CVE-2022-31690)
CVE-2022-31690 in Spring Security's OAuth2 client can let one principal obtain another's token. Here's the impact, CVSS/EPSS context, and how to remediate.