Safeguard
Tag

java-security

Safeguard articles tagged "java-security" — guides, analysis, and best practices for software supply chain and application security.

83 articles

AppSec

Encryption Algorithms in Java: A Practical Overview

Java ships a wide menu of encryption algorithms through its Java Cryptography Architecture, but picking the wrong mode or a deprecated cipher is one of the most common security findings in Java codebases.

Jun 9, 20256 min read
Vulnerabilities

Fixing XXE in Java: A Parser-by-Parser Hardening Guide

A parser-by-parser XXE fix for Java, covering DocumentBuilderFactory, SAXParser, XMLInputFactory, TransformerFactory, and the XML libraries that still ship unsafe defaults.

Feb 18, 20256 min read
Vulnerabilities

Java Vulnerability Classes: A Reference List

A java vulnerability list organized by class — deserialization, injection, XXE, and the rest — because Java's ecosystem produces a specific, recurring set of vulnerability patterns worth knowing by name.

Feb 11, 20255 min read
Vulnerabilities

CVE-2020-15250: The JUnit Temp File Vulnerability

CVE-2020-15250 shows how a test-only utility class in JUnit 4 created world-readable temp files on Unix systems, and why it still shows up in scans of projects that never touched production code paths.

Aug 6, 20244 min read
Vulnerabilities

CVE-2021-29425: The Commons IO Path Traversal Bug

CVE-2021-29425 shows how a single unhandled case in Apache Commons IO's path normalization let attackers slip past directory checks that assumed a canonicalized path was actually safe.

Jun 17, 20244 min read
Vulnerabilities

Spring4Shell: What Shipped and How to Patch It

What the Spring4Shell vulnerability actually was, which configurations were exposed, and the concrete patch and mitigation steps that closed it.

Apr 2, 20245 min read
Vulnerabilities

XXE Attacks Explained: XML External Entity Injection

How an XXE attack turns a trusting XML parser into a file-reading, request-forging liability, with a concrete Java example and the parser flags that shut it down.

Mar 12, 20246 min read
Vulnerabilities

The Spring Shell Vulnerability: What Happened

Spring4Shell (CVE-2022-22965) let attackers achieve remote code execution through Spring's data-binding mechanism — here's what made it exploitable and what actually needed patching.

Jan 30, 20244 min read
Application Security

Deserialization Attacks in Java and Python

Insecure deserialization turns data parsing into code execution. This guide covers deserialization attacks in Java and Python, the gadget chain concept, and practical defenses for both ecosystems.

Dec 5, 20236 min read
Code Security

Insecure Deserialization: Why Untrusted Data Should Never Become Objects

Deserialization vulnerabilities turn data into code execution. Here is how they work, which languages are most affected, and how to defend against them.

Oct 12, 20236 min read
Vulnerability Analysis

Red Hat JBoss Vulnerability Exploitation: The Persistent Threat of Java Middleware

JBoss application servers have been a recurring target for attackers. From deserialization flaws to exposed management interfaces, the middleware layer remains a critical attack surface.

May 22, 20226 min read
java-security (Page 7) — Safeguard Blog