Security Affairs
Adobe ColdFusion flaw CVE-2026-48282 now exploited in the wild|Hidden Web Prompts Trick AI Agents Into Sending Money|Seven Bugs in FatFs Put IoT and Embedded Devices at Risk|Bad Epoll Flaw Gives Attackers Root Access on Linux and Android|Medtronic Notifies 3.8 Million After ShinyHunters Data Breach|SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 104|Security Affairs newsletter Round 584 by Pierluigi Paganini – INTERNATIONAL EDITION|U.S. Government Agency Paid $1M to Data Extortion Group Kairos|FBI: TeamPCP Compromised Dev Tools to Steal Cloud Credentials|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Adobe ColdFusion flaw CVE-2026-48282 now exploited in the wild|Hidden Web Prompts Trick AI Agents Into Sending Money|Seven Bugs in FatFs Put IoT and Embedded Devices at Risk|Bad Epoll Flaw Gives Attackers Root Access on Linux and Android|Medtronic Notifies 3.8 Million After ShinyHunters Data Breach|SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 104|Security Affairs newsletter Round 584 by Pierluigi Paganini – INTERNATIONAL EDITION|U.S. Government Agency Paid $1M to Data Extortion Group Kairos|FBI: TeamPCP Compromised Dev Tools to Steal Cloud Credentials|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

A Remote Code Execution Vulnerability found in the Spring Framework. Upgrade it now!

Security experts have discovered a vulnerability in the Spring Framework that could be exploited by a remote attacker to execute arbitrary code on applications built with it. Security researchers have discovered three vulnerabilities in the Spring Development Framework, one of them could be exploited by a remote attacker to execute arbitrary code on applications built […]

Pivotal's Spring Data REST

Security experts have discovered a vulnerability in the Spring Framework that could be exploited by a remote attacker to execute arbitrary code on applications built with it.

Security researchers have discovered three vulnerabilities in the Spring Development Framework, one of them could be exploited by a remote attacker to execute arbitrary code on applications built with it.

Pivotal’s Spring is widely used open source framework for the development of web applications.  Affected Spring Framework versions are 5.0 to 5.0.4, 4.3 to 4.3.14, and older versions.

The security advisory published by Pivotal includes technical details of the following three vulnerabilities;

  • CVE-2018-1270: Remote Code Execution with spring-messaging, it is rated as “Critical”.

“Spring Framework versions 5.0 to 5.0.4, 4.3 to 4.3.14, and older unsupported versions allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module.” reads the advisory.

An attacker can send specially crafted messages to the broker in order to trigger the remote code execution flaw.

  • CVE-2018-1271: Directory Traversal with Spring MVC on Windows, it is rated as “High”.

“Spring Framework versions 5.0 to 5.0.4, 4.3 to 4.3.14, and older unsupported versions allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images).” reads the advisory. 

An attacker can use a specially crafted URL to lead a directory traversal attack.

  • CVE-2018-1272: Multipart Content Pollution with Spring Framework, it is rated as “Low”.

“When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.” reads the advisory.

An attacker that is able to guess the multipart boundary value chosen by server A for the multipart request to server B could successfully exploit the issue. This means that the attacker needs to gain the control of the server or have to find a way to see the HTTP log of server A through a separate attack vector.

Pivotal's Spring framework Data REST

The above issued are addressed with the Spring Framework 5.0.5 and 4.3.15. Pivotal also released Spring Boot 2.0.1 and 1.5.11.0.

Development teams need to upgrade their software to the latest versions as soon as possible.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – hacking, Spring framework)

[adrotate banner=”5″]

[adrotate banner=”13″]