java-security
Safeguard articles tagged "java-security" — guides, analysis, and best practices for software supply chain and application security.
83 articles
Encryption Algorithms in Java: A Practical Overview
Java ships a wide menu of encryption algorithms through its Java Cryptography Architecture, but picking the wrong mode or a deprecated cipher is one of the most common security findings in Java codebases.
Fixing XXE in Java: A Parser-by-Parser Hardening Guide
A parser-by-parser XXE fix for Java, covering DocumentBuilderFactory, SAXParser, XMLInputFactory, TransformerFactory, and the XML libraries that still ship unsafe defaults.
Java Vulnerability Classes: A Reference List
A java vulnerability list organized by class — deserialization, injection, XXE, and the rest — because Java's ecosystem produces a specific, recurring set of vulnerability patterns worth knowing by name.
CVE-2020-15250: The JUnit Temp File Vulnerability
CVE-2020-15250 shows how a test-only utility class in JUnit 4 created world-readable temp files on Unix systems, and why it still shows up in scans of projects that never touched production code paths.
CVE-2021-29425: The Commons IO Path Traversal Bug
CVE-2021-29425 shows how a single unhandled case in Apache Commons IO's path normalization let attackers slip past directory checks that assumed a canonicalized path was actually safe.
Spring4Shell: What Shipped and How to Patch It
What the Spring4Shell vulnerability actually was, which configurations were exposed, and the concrete patch and mitigation steps that closed it.
XXE Attacks Explained: XML External Entity Injection
How an XXE attack turns a trusting XML parser into a file-reading, request-forging liability, with a concrete Java example and the parser flags that shut it down.
The Spring Shell Vulnerability: What Happened
Spring4Shell (CVE-2022-22965) let attackers achieve remote code execution through Spring's data-binding mechanism — here's what made it exploitable and what actually needed patching.
Deserialization Attacks in Java and Python
Insecure deserialization turns data parsing into code execution. This guide covers deserialization attacks in Java and Python, the gadget chain concept, and practical defenses for both ecosystems.
Insecure Deserialization: Why Untrusted Data Should Never Become Objects
Deserialization vulnerabilities turn data into code execution. Here is how they work, which languages are most affected, and how to defend against them.
Red Hat JBoss Vulnerability Exploitation: The Persistent Threat of Java Middleware
JBoss application servers have been a recurring target for attackers. From deserialization flaws to exposed management interfaces, the middleware layer remains a critical attack surface.