CVE-2022-31690: Privilege Escalation in spring-security-oauth2-client

Engineering | Steve Riesenberg | October 31, 2022 | ...

Spring Security 5.6.9 and 5.7.5 released on October 31st, 2022 included a fix for CVE-2022-31690 affecting the mapping of authorized scopes in spring-security-oauth2-client. Users are encouraged to update as soon as possible.

Impact

Users who have applied the mitigation should take note of the following impact:

No authorized scopes are mapped to the principal (current user) when the Authorization Server (AS) responds to the OAuth2 Access Token Response with an empty or missing scope parameter.

If you are affected by this vulnerability, users will not be granted any authorities beginning with SCOPE_ when the AS does not return scopes. Only the special authority ROLE_USER

This Week in Spring - November 1st, 2022

Engineering | Josh Long | October 31, 2022 | ...

Hi, Spring fans! Welcome to another installment of This Week in Spring! How're you doin'? I hope you're doing well and had a great Halloween if you celebrate. I'm doing great. I'm in sunny Kuala Lumpur, Malaysia, eating delicious food and hanging out with amazing people. Tomorrow, I'm off to Penang, Malaysia, for a little tourism before I get back to a more code-driven kinda fun: I'll be doing a developer event looking at the latest-and-greatest from Spring Boot 3 here in Kuala Lumpur on the 11th of November - ten short days from now! - so please join me!

Also, I just joined Mastodon - a decentralized and open-source Twitter; I'm not leaving Twitter, of course, but I would love to make new friends and grow the community there: @[email protected]

Spring Tips: the road to Spring Boot 3: Spring Framework 6

Engineering | Josh Long | October 26, 2022 | ...

Hi, Spring fans! In this installment, we begin a journey to Spring Boot 3, due end of November 2022. In this installment, we'll look - at a very high level - at some of the amazing features in Spring Framework 6, which underpins Spring Boot 3.

Want to learn more about Spring Framework 6 and Spring Boot 3? Join us at SpringOne 2022! use the code S1VM22_Advocate_200 for $200 off the price of admission!

Spring Session 3.0.0-RC1

Engineering | Rob Winch | October 26, 2022 | ...

Spring Session 3.1.0-RC1 has been released. The biggest news from this release is that Spring Session Geode was removed which means all of the Spring Modules now belong to the same lifecycle. This means that the Spring Session BOM no longer uses CalVer and instead uses the same version as the remaining Spring Session modules. For example, in this release the version of spring-session-bom is 3.0.0-RC1.

You can view the release notes for additional details around this release.

Project Site | Reference | Help

This Week in Spring - October 25th, 2022

Engineering | Josh Long | October 24, 2022 | ...

Hi, Spring fans! Welcome to another installment of This Week in Spring! When last we spoke, I was in Las Vegas, NV, for the JavaOne show. It was amazing! I'm in sunny Singapore, then off to Malaysia and Thailand. It's the first time I've been to any of these places since 2019! How good it is to be back! I've so missed it.

The Spring team is busy preparing for both Spring Boot 3 (and the Spring Framework 6 release that underpins it) and SpringOne 2022. Have you booked your ticket for SpringOne 2022 yet? It's going to be held in sunny San Francisco, and - of course - it'll be the absolute best…

Introducing Spring Modulith

Engineering | Oliver Drotbohm | October 21, 2022 | ...

When designing software systems, architects and developers have plenty of architectural options to choose from. Microservice-based systems have become ubiquitous in the last couple of years. However, the idea of monolithic, modular systems has also regained popularity recently. Independent of the architectural style ultimately selected, the individual applications comprising the overall system need their structure to be evolvable and able to follow changes in business requirements.

Traditionally, application frameworks have provided structural guidance by providing abstractions aligned with technical concepts, such as Spring Framework’s stereotype annotations (@Controller, @Service, @Repository, and so on). However, shifting the focus to align code structure with the domain has proven to lead to better structured applications that are ultimately more understandable and…

A Bootiful Podcast: Microsoft's Asir Selvasingh on Azure Spring Apps, Java at Microsoft, application security, and more

Engineering | Josh Long | October 20, 2022 | ...

Hi, Spring fans! In this installment, Josh Long (@starbuxma) talks to his friend, Microsoft's Asir Selvasingh (@asirselvasingh), about Azure Spring Apps, Java at Microsoft, Spring, application security, and more. Want to learn more? Join us at SpringOne (6-8 December 2022)!

Want to meet amazing people like Asir? Join us at SpringOne 2022! Register now and get $200 off with this discount code S1VM22_Advocate_200.

Get the Spring newsletter

Stay connected with the Spring newsletter

Subscribe

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all