Safeguard
Tag

java-security

Safeguard articles tagged "java-security" — guides, analysis, and best practices for software supply chain and application security.

83 articles

Industry Analysis

Expression Language Injection (ELI) in Java Applications

Expression language injection in Java has powered some of the decade's worst breaches, from Equifax to Confluence. Here's how OGNL and SpEL flaws actually get exploited.

Nov 8, 20257 min read
Vulnerability Analysis

Spring4Shell (CVE-2022-22965) Deep Dive: RCE via Data Bin...

A technical breakdown of Spring4Shell (CVE-2022-22965): the data-binding RCE, affected Spring/Tomcat configurations, severity, timeline, and how to remediate and detect exposure.

Oct 27, 20257 min read
Industry Analysis

SQL Injection Prevention in Java with PreparedStatement

Java teams still ship SQL injection bugs despite PreparedStatement being free and built into the JDK since 1997. Here is how it works and where it fails.

Oct 27, 20258 min read
Industry Analysis

Path Traversal Prevention in Java with Path.normalize

Path.normalize() cleans up "." and ".." in a Java path — but it doesn't stop path traversal. Here's why the Zip Slip pattern still slips past code review in 2026.

Oct 24, 20257 min read
Industry Analysis

XXE Prevention in Java: Hardening DocumentBuilderFactory

Java's DocumentBuilderFactory parses XML with external entities on by default, turning XML uploads into file-read and SSRF vectors. Here is how to lock it down.

Oct 22, 20258 min read
Industry Analysis

Insecure Deserialization Prevention in Java with Deserial...

Java deserialization RCEs still hit production years after JEP 290 shipped filters. Here's how JEP 290/415 filters work, common rollout mistakes, and how Safeguard closes the gaps.

Oct 21, 20257 min read
Industry Analysis

Secure Random Number Generation in Java with SecureRandom...

Why java.util.Random and even UUID.randomUUID() can leak predictable tokens, and how Java's SecureRandom and NIST DRBG providers actually protect secrets.

Oct 18, 20257 min read
Vulnerability Analysis

CVE-2020-17530: Forced OGNL evaluation RCE in Apache Struts2

CVE-2020-17530 lets attackers achieve unauthenticated RCE in Apache Struts2 via forced OGNL evaluation. Here's the scope, timeline, and how to remediate it.

Sep 30, 20257 min read
Vulnerability Analysis

CVE-2015-6420: Deserialization vulnerability via Apache C...

How a vulnerable Apache Commons Collections library let attackers achieve remote code execution via Java deserialization gadget chains, and what CVE-2015-6420 still teaches about supply chain risk.

Sep 30, 20258 min read
Vulnerability Analysis

CVE-2019-12384: Polymorphic deserialization gadget in Jac...

CVE-2019-12384 is a Jackson-databind polymorphic deserialization gadget flaw via Ehcache's transaction manager class, patched in 2.9.9.1.

Sep 30, 20257 min read
Vulnerability Analysis

CVE-2019-14540: Jackson-databind blacklist bypass via c3p...

CVE-2019-14540 lets attackers bypass jackson-databind's deserialization blacklist via c3p0 classes to achieve RCE. Here's what's affected, the timeline, and how to remediate.

Sep 29, 20257 min read
Vulnerability Analysis

CVE-2019-16335: Jackson-databind gadget via jackson-dataf...

CVE-2019-16335 is a jackson-databind polymorphic deserialization flaw tied to jackson-dataformat-cbor, fixed in 2.9.10. Here's the impact, timeline, and fix.

Sep 29, 20257 min read
java-security (Page 5) — Safeguard Blog