Safeguard
Tag

java-security

Safeguard articles tagged "java-security" — guides, analysis, and best practices for software supply chain and application security.

83 articles

Vulnerability Analysis

CVE-2021-33037: HTTP request smuggling in Apache Tomcat

CVE-2021-33037 let malformed HTTP trailers desync Apache Tomcat from front-end proxies, enabling request smuggling. Here's what's affected and how to remediate.

Sep 24, 20257 min read
Vulnerability Analysis

CVE-2021-25329: Incomplete fix of Tomcat PersistenceManag...

CVE-2021-25329 shows how Tomcat's PersistenceManager deserialization fix (CVE-2020-9484) was incomplete, still risking RCE in edge-case configs.

Sep 23, 20258 min read
Vulnerability Analysis

CVE-2022-1471: Remote code execution in SnakeYAML deseria...

CVE-2022-1471 exposes SnakeYAML deserialization to remote code execution. Here is what is affected, CVSS context, and how to remediate the flaw.

Sep 23, 20257 min read
Vulnerability Analysis

CVE-2017-18640: Denial of service via SnakeYAML alias ent...

CVE-2017-18640 lets attackers crash Java services by abusing SnakeYAML's YAML alias/anchor expansion. Here's what's affected and how to fix it.

Sep 22, 20257 min read
Vulnerability Analysis

CVE-2018-1270: Remote code execution in Spring Messaging ...

CVE-2018-1270 is a critical, unauthenticated RCE in Spring Messaging's STOMP-over-WebSocket support. Here's what's affected, how severe it is, and how to remediate it.

Sep 22, 20257 min read
Vulnerability Analysis

CVE-2018-1271: Path traversal in Spring MVC static resour...

A path traversal flaw in Spring MVC's static resource handling let attackers on Windows deployments escape the web root and read arbitrary files.

Sep 22, 20257 min read
Vulnerability Analysis

CVE-2020-5398: Content-type bypass in Spring Framework

CVE-2020-5398 lets attackers bypass Spring Framework RFD protections via Content-Disposition, tricking browsers into downloading malicious files.

Sep 21, 20257 min read
Vulnerability Analysis

CVE-2016-4977: Remote code execution in Spring Security O...

CVE-2016-4977 let attackers achieve remote code execution against Spring Security OAuth's whitelabel views via SpEL injection. Here's what shipped, why, and how to fix it.

Sep 21, 20258 min read
Vulnerability Analysis

CVE-2021-22112: Improper authorization in Spring Security...

CVE-2021-22112 let Spring Security lose SecurityContext changes mid-request, an improper authorization flaw exposing OAuth2-secured apps to privilege escalation.

Sep 21, 20258 min read
Vulnerabilities

OpenJDK Vulnerabilities: Tracking and Patching

OpenJDK vulnerabilities are disclosed and patched through Oracle's quarterly Critical Patch Update cycle, but tracking them well means watching your specific JDK distribution and version line, not just assuming a generic update covers you.

Sep 17, 20255 min read
AppSec

Apache Tomcat and Coyote Connector Vulnerabilities Explained

Apache tomcat vulnerabilities keep surfacing because Tomcat sits directly in the request path of so many Java applications; here is what the Coyote connector does and which vulnerability classes recur most.

Aug 8, 20256 min read
AppSec

Spring Framework RCE Vulnerabilities: A History

From Spring4Shell to older data binding flaws, Spring framework RCE bugs keep resurfacing in the same handful of places — data binding, expression evaluation, and class loading.

Jun 24, 20256 min read
java-security (Page 6) — Safeguard Blog