Safeguard
Tag

java-security

Safeguard articles tagged "java-security" — guides, analysis, and best practices for software supply chain and application security.

83 articles

Vulnerability Analysis

Struts2 OGNL injection RCE (CVE-2018-11776)

CVE-2018-11776 lets remote attackers achieve full RCE in Apache Struts2 via OGNL injection in URL namespaces. Impact, timeline, and fixes inside.

Jan 18, 20267 min read
Vulnerability Analysis

Log4j JDBC Appender RCE (CVE-2021-44832)

CVE-2021-44832 lets attackers with logging-config write access achieve RCE via Log4j2's JDBC Appender — and Log4Shell fixes alone don't stop it.

Jan 14, 20267 min read
Vulnerability Analysis

Text4Shell Apache Commons Text RCE (CVE-2022-42889)

A deep dive into CVE-2022-42889 (Text4Shell): the Apache Commons Text RCE, its narrower real-world exploitability versus Log4Shell, and how to remediate it.

Jan 14, 20267 min read
Vulnerability Analysis

Alibaba fastjson deserialization RCE (CVE-2022-25845)

A critical AutoType-bypass RCE in Alibaba fastjson (CVSS 9.8, EPSS ~99th pct) hits any app parsing untrusted JSON. Here's how to detect and fix it.

Jan 11, 20267 min read
Vulnerability Analysis

Log4j SocketServer unsafe deserialization (CVE-2019-17571)

A deep dive into CVE-2019-17571, the Log4j 1.x SocketServer deserialization flaw enabling remote code execution, with remediation guidance.

Dec 25, 20257 min read
Vulnerability Analysis

Jackson-databind polymorphic deserialization RCE (CVE-2017-15095)

A critical jackson-databind deserialization vulnerability (CVE-2017-15095) lets unauthenticated attackers achieve RCE via HikariCP gadget classes.

Dec 25, 20257 min read
Vulnerability Analysis

Jackson-databind RCE via JDOM gadget (CVE-2020-36189)

CVE-2020-36189 lets attackers chain jackson-databind polymorphic deserialization with a JDOM gadget for RCE, SSRF, or XXE. Here's the mechanics and the fix.

Dec 25, 20257 min read
Vulnerability Analysis

dom4j XML external entity vulnerability (CVE-2018-1000632)

CVE-2018-1000632, the dom4j XXE vulnerability, let attackers inject and tamper with XML via unescaped addElement/addAttribute calls. Here's the fix.

Dec 24, 20258 min read
Vulnerability Analysis

Spring Cloud Function SpEL injection RCE (CVE-2022-22963)

CVE-2022-22963 lets attackers RCE unpatched Spring Cloud Function apps via one SpEL header. CVSS 9.8. Here's the fix, fast.

Dec 24, 20258 min read
Vulnerability Analysis

Jetty SSL buffer bloat denial of service (CVE-2021-28165)

CVE-2021-28165 lets attackers exhaust Jetty server memory via SSL buffer bloat, causing denial of service. Affected versions, timeline, and fixes inside.

Dec 23, 20257 min read
Vulnerability Analysis

Spring Security authorization rule bypass (CVE-2023-34035)

CVE-2023-34035 lets Spring Security's requestMatchers() silently mis-evaluate authorization rules in multi-servlet apps. Here's the fix and how to detect exposure.

Dec 23, 20258 min read
Vulnerability Analysis

Spring Security OAuth2 client vulnerability (CVE-2022-31690)

CVE-2022-31690 in Spring Security's OAuth2 client can let one principal obtain another's token. Here's the impact, CVSS/EPSS context, and how to remediate.

Dec 22, 20257 min read
java-security (Page 4) — Safeguard Blog