Release History for Solace MicroIntegration for IBMMQ, Version 2.14.0
June 2026
This section lists the new features introduced in the Solace MicroIntegration for IBMMQ for
release 2.14.0 and earlier releases.
| Name | Description | Introduced in Version |
|---|---|---|
| Standard Error Handling in connector framework to handle processing and publishing errors without losing data |
Micro-Integration Flows now support configurable error handling to prevent data loss when messages fail during processing or delivery. Two independent features are available:
Both are disabled by default and can be enabled in any combination per Flow. The error handling logic distinguishes between two failure types:
This feature is designed for sources that lack built-in error handling, like Change Data Capture (CDC) and polling-based sources. If your source system already has its own error handling mechanism, we recommend that you choose between using the source system's error handling or the Micro-Integration error handling—avoid enabling both at the same time. You configure error handling in the Error Handling step when you create or edit a Flow in Solace Cloud. |
2.14.0 |
| New functions for MI transformations: base64 encode and decode | self and cloud managed |
Added transformation functions for Base64 encoding and decoding with support for Standard, URL-safe, and MIME variants.
|
2.11.1 |
| Spring Cloud Stream binder performance improvements to MIs |
Performance improvements through architectural optimizations in message processing. These enhancements enable substantially higher message throughput and more efficient resource utilization, allowing for handling of larger workloads with the same infrastructure. In addition, further optimizations were done by enabling asynchronous publishing by default on Micro Integrations that support it, and disabling the default internal back-pressure for faster asynchronous publishing. |
2.10.1 |
| Connector Framework - per message payload identification and field-level transformations |
A new configuration section and capabilities around transforming source headers and payload to desired mappings on the target headers and payload has been added. The mappings are expressed in the connector configuration using an expression language based on Spring Expression Language (SpEL).
Various string and number functions are available to transform values to the desired target format, for example join, mask, abs, and many more. This release supports JSON payloads only. Future releases will add other content formats such as XML. If your source and target payload is not JSON, you cannot map or transform the payload and it is passed through as is. However, you can still do header transforms and smart topic dynamic producer destinations. This is a new capability and is not compatible with the "transform-headers" and "transform-payload" sections of the configuration available prior to this release. The "transform-headers" and "transform-payload" sections continue to work but are now deprecated and will be removed in a future release. Existing connector configurations that rely on the legacy transform sections should not use the new transform capabilities. The legacy and new transform sections cannot be used together. |
2.9.0 |
| Connector Framework/Binder Performance Improvements |
Messages are now processed in batches, with transactions possible on the consumer side, producer side, or both. Refer to the documentation for the benefits and tradeoffs of batching and transactions. Note that the default batch size is 255, and that the {{solace.connector.process}} and {{solace.connector.error.process}} metrics now apply to batches instead of individual messages. To get metrics on individual messages you can use the {{solace.connector.publish.ack}} metric.
|
2.6.0 |
| Migrate Connectors Framework and connectors update to Springboot to 3.3 |
Migrate to Latest Connector Framework Using Spring Boot 3.3 Release
|
2.6.0 |
| Support for Durable Topic Endpoints and Selectors in Solace binder |
Support in the Solace source binder for consuming from a Durable Topic Endpoint (in addition to queues). Also added support for selectors on both Queues and Durable Topic Endpoints.
|
2.6.0 |
| SCSt binder: Add support for NACK |
Added support (internal) for NACK handling of messages not processed due to error. This is a breaking change regarding supported PubSub+ broker versions. The connectors now require a 10.2.1+ broker version to operate.
|
2.3.0 |
This section lists the history of resolved issues in the Solace MicroIntegration for IBMMQ for
release 2.14.0 and earlier releases.
| Reference Number | Description | Resolved in Version |
|---|---|---|
| DATAGO-121267 |
As a result of an asynchronous publish failure, when negatively acknowledging the corresponding consumed message from Solace, queue retries were not respected. Similarly, when consuming from a non-Solace source, then negative acknowledgements to that source may potentially fail.
|
2.10.2 |
| DATAGO-105471 |
Added destination header in Solace Source micro-integrations SMF metadata
|
2.9.12 |
| DATAGO-84058 |
The connector now includes all required IBM MQ Client sub-dependencies. Users only need to include the IBM MQ Client jar version that is supported by their installed connector version. For the supported IBM MQ Client version, refer to the latest upgrade information in this release note. Including additional IBM MQ Client sub-dependencies is not supported.
Note: This version supports IBM MQ Client 9.4.1.1. |
2.9.0 |
| DATAGO-69335 |
Fixed the issue in reading user property having value of type byte[] or ByteArray while mapping Solace Consumer message to Spring message.
|
2.6.11 |
| DATAGO-78357 |
JMS consumer bindings no longer map {{jms_destination}} and {{jms_replyTo}} headers. As a result, these headers are no longer accessible for use in transform-header expressions. If your configuration includes default workflow transform-header expressions that nullify these headers, you can now remove those expressions.
|
2.6.4 |
| DATAGO-71738 |
StreamMessages are not supported by this version of the connector due to an issue within the Spring Framework. Solace is working with Spring to address this issue and will reinstate StreamMessage support in a future release. Attempted processing of StreamMessages will result in an “UnsupportedOperationException” in the connector.
|
2.4.3 |
This section lists the history of changed functionality in the Solace MicroIntegration for IBMMQ
for release 2.14.0 and earlier releases.
| Reference Number | Description | Introduced in Version |
|---|---|---|
| DATAGO-138150 |
Upgrade connector to Solace Spring Cloud 4.11.1
|
2.14.0 |
| DATAGO-137805 |
Upgrade connector to Eclipse Temurin 17.0.19_10-jre-alpine-3.23@b0ae54a36f82
|
2.14.0 |
| DATAGO-134580 |
Fixed publisher send failures after an unsolicited broker-side flow close — affected publishers now auto-recover without requiring an application restart.
|
2.14.0 |
| DATAGO-140010 |
Upgrade connector to Spring Boot 3.5.15
|
2.14.0 |
| DATAGO-140269 |
Upgrade connector to Spring Cloud 2025.0.3
|
2.14.0 |
| DATAGO-133191 |
Upgrade connector to Spring Boot 3.5.14
|
2.13.1 |
| DATAGO-132479 |
Upgrade connector base image to Eclipse Temurin 17.0.18_8-jre-alpine-3.23 (sha256:88c0002860cda56384d5ed3b2da4d0d9a2b44dc2ee4dc02344be985bd8b524bc)
|
2.13.1 |
| DATAGO-130215 |
Upgrade connector to JCSMP 10.28.3
|
2.13.0 |
| DATAGO-128563 |
Upgrade Spring Boot Admin to 3.5.8
|
2.13.0 |
| DATAGO-128439 |
Add support for Prometheus Monitoring tooling for observability.
|
2.13.0 |
| DATAGO-128564 |
Upgrade connector to Spring Boot 3.5.12
|
2.13.0 |
| DATAGO-130061 |
Upgrade connector to Spring Boot 3.5.13
|
2.13.0 |
| DATAGO-130790 |
Upgrade connector to Spring Cloud 2025.0.2
|
2.13.0 |
| DATAGO-125812 |
Upgrade connector to Spring Boot 3.5.11
|
2.12.0 |
| DATAGO-124644 |
Upgrade connector base image to Eclipse Temurin 17.0.18_8-jre-alpine (sha256:7aa804a1824d18d06c68598fe1c2953b5b203823731be7b9298bb3e0f1920b0d).
|
2.11.1 |
| DATAGO-120869 |
Upgrade connector to Spring Boot 3.5.10
|
2.11.1 |
| DATAGO-124658 |
Upgrade connector to Spring Boot Admin 3.5.7
|
2.11.1 |
| DATAGO-114547 |
Added startup notice/banner regarding upcoming executable artifact renaming. Users should prepare to update automation scripts when this change takes effect in a future release.
|
2.10.2 |
| DATAGO-120873 |
Upgrade connector to Spring Cloud 2025.0.1
|
2.10.1 |
| DATAGO-117314 |
Upgrade connector to Eclipse Temurin 17.0.17_10-jre-alpine (sha256:f57e47e7a78ae1ff5019681d95a4964153b0d1078bdff2a2f288e4a5ee329c14)
|
2.10.1 |
| DATAGO-118041 |
Upgrade connector to Spring Boot 3.5.8
|
2.10.1 |
| DATAGO-108854 |
Enable the workflow’s asynchronous publishing configuration option by default for improved performance. The workflow’s acknowledgment.publish-async property now defaults to true.
|
2.10.1 |
| DATAGO-119789 |
Upgrade connector to Netty 4.1.128.Final
|
2.10.1 |
| DATAGO-115120 |
Upgrade connector to com.ibm.mq.jakarta.client 9.4.4.0
|
2.9.25 |
| DATAGO-116368 |
Upgrade connector to Spring Boot Admin 3.5.6
|
2.9.25 |
| DATAGO-116369 |
Upgrade connector to Spring Boot 3.5.7
|
2.9.25 |
| DATAGO-116367 |
Upgrade connector to Solace JCSMP 10.28.2
|
2.9.25 |
| DATAGO-111042 |
Upgrade com.ibm.mq.jakarta.client to 9.4.3.1
|
2.9.22 |
| DATAGO-111022 |
Upgrade connector to Solace Spring Cloud 4.10.0
|
2.9.22 |
| DATAGO-112077 |
Upgrade connector to Spring Boot Admin 3.5.5
|
2.9.22 |
| DATAGO-112062 |
Upgrade connector to Spring Boot 3.5.6 and Spring Cloud 2025.0.0
|
2.9.22 |
| DATAGO-109647 |
Upgrade connector to Spring Boot 3.4.9
|
2.9.19 |
| DATAGO-108538 |
Upgrade connector to Solace Spring Cloud 4.8.1
|
2.9.19 |
| DATAGO-109668 |
Disable the workflow’s back-pressure by default for improved performance. The workflow’s acknowledgment.back-pressure-threshold property now defaults to -1 (disabled). For flow control, consider using native client back-pressure mechanisms instead.
|
2.9.19 |
| DATAGO-110219 |
Upgrade connector to Solace JCSMP 10.28.1
|
2.9.19 |
| DATAGO-106868 |
Upgrade connector to Spring Cloud 2024.0.2
|
2.9.15 |
| DATAGO-107134 |
Upgrade connector to Spring Boot Admin 3.4.7
|
2.9.15 |
| DATAGO-108120 |
Upgrade connector base image to Eclipse Temurin 17.0.16_8-jre-alpine (sha256:fc47f4a190b599de0835d98830976f5938588b4c17b07f19dba903d5b29f666e).
|
2.9.15 |
| DATAGO-107408 |
Upgrade connector to JCSMP 10.27.3
|
2.9.15 |
| DATAGO-107376 |
Upgrade connector to Spring Boot 3.4.8
|
2.9.15 |
| DATAGO-104294 |
Upgrade connector to JCSMP 10.27.2
|
2.9.12 |
| DATAGO-104715 |
Upgrade connector to Spring Boot 3.4.7
|
2.9.12 |
| DATAGO-104989 |
Deprecate maskNumber() function in transformation capabilities
|
2.9.12 |
| DATAGO-105064 |
Upgrade IBM MQ connector to com.ibm.mq.jakarta.client 9.4.3.0
|
2.9.12 |
| DATAGO-102715 |
Upgrade connector to Spring Boot 3.4.6
|
2.9.8 |
| DATAGO-102716 |
Upgrade connector to JCSMP 10.27.1
|
2.9.8 |
| DATAGO-103438 |
Upgrade connector to IBM MQ Jakarta Client 9.4.2.1
|
2.9.8 |
| DATAGO-102718 |
Upgrade connector to Spring Boot Admin 3.4.6
|
2.9.8 |
| DATAGO-99793 |
Upgrade connector base image to Eclipse Temurin 17.0.15_6-jre-alpine (sha256:b10e4fda9d71b3819a91fbb0dbb28512edbb37a45f6af2a301c780223bb42fb8).
|
2.9.5 |
| DATAGO-99796 |
Upgrade connector to Spring Boot 3.4.5
|
2.9.5 |
| DATAGO-99525 |
Upgrade connector to JCSMP 10.27.0
|
2.9.5 |
| DATAGO-99526 |
Upgrade connector to Solace Spring Cloud 4.8.0
|
2.9.5 |
| DATAGO-99616 |
Upgrade connector to IBM MQ Jakarta Client 9.4.2.0
|
2.9.5 |
| DATAGO-97477 |
Upgrade connector to Spring Cloud 2024.0.1
|
2.9.2 |
| DATAGO-97166 |
Upgrade connector to JCSMP 10.26.0
|
2.9.2 |
| DATAGO-97529 |
Upgrade connector to Spring Boot 3.4.4
|
2.9.2 |
| DATAGO-97063 |
Upgrade connector to Spring Boot Admin 3.4.5
|
2.9.2 |
| DATAGO-95501 |
Upgrade connector base image to Eclipse Temurin 17.0.14_7-jre-alpine (sha256:865cca6d0b31f284a5fc4e8cbd8f9375f470fd07cf6e909cea62f2790d4187fe).
|
2.9.0 |
| DATAGO-95206 |
Upgrade connector to Spring Boot Admin 3.4.2
|
2.9.0 |
| DATAGO-95698 |
Upgrade connector to Spring Boot 3.4.3
|
2.9.0 |
| DATAGO-92733 |
Upgrade connector to JCSMP 10.25.2
|
2.8.2 |
| DATAGO-93224 |
Upgrade connector base image to Eclipse Temurin 17.0.13_11-jre-alpine (sha256:8164ba7f332faf27462e055013c2aa518a2eba1ce6984e9ca60dadb899cab6bd).
|
2.8.2 |
| DATAGO-93220 |
Upgrade connector to Solace Spring Cloud 4.7.0
|
2.8.2 |
| DATAGO-89778 |
Upgrade connector to Spring Boot 3.4.1 and Spring Cloud 2024.0.0
|
2.8.2 |
| DATAGO-93240 |
Upgrade connector to Spring Boot 3.4.2
|
2.8.2 |
| DATAGO-90429 |
jms_destination is now exposed as a message header of type jakarta.jms.Destination, enabling its use in header transformation expressions |
2.7.0 |
| DATAGO-91311 |
Upgrade connector to Spring Boot 3.3.7
|
2.7.0 |
| DATAGO-89976 |
Upgrade connector to Spring Cloud 2023.0.4
|
2.6.11 |
| DATAGO-89278 |
Upgrade connector to Spring Boot 3.3.6
|
2.6.11 |
| DATAGO-89279 |
Upgrade connector base image to Eclipse Temurin 17.0.13_11-jre-alpine (sha256:fcf70ae7ba37872c7d1da875593321c3e90bd9a02c6b4bfde5a1260b08b8f178).
|
2.6.11 |
| DATAGO-87474 |
Upgrade connector base image to Eclipse Temurin 17.0.13_11-jre-alpine (sha256:148f1c965d9314fc1207b7719f0eec35a374ad2ccfb8200268b5ac17a25e05fd).
|
2.6.9 |
| DATAGO-87054 |
Upgrade connector to JCSMP library version to 10.25.1
|
2.6.9 |
| DATAGO-87477 |
Upgrade connector to Spring Boot 3.3.5
|
2.6.9 |
| DATAGO-86506 |
Upgrade connector to JCSMP library version to 10.25.0
|
2.6.8 |
| DATAGO-84696 |
Upgrade connector base image to Eclipse Temurin 17.0.12_7-jre-alpine (sha256:31c3cc1b2b02ae43a3af8a34b0d4a20208818355b68f3112933f9e8fa5be9a3b). Fixes expat and openssl vulnerabilities.
|
2.6.8 |
| DATAGO-83539 |
Upgrade connector base image to Eclipse Temurin 17.0.12_7-jre-alpine.
|
2.6.4 |
| DATAGO-82916 |
Upgrade connector to JCSMP library version to 10.24.1
|
2.6.4 |
| DATAGO-79393 |
The Solace binder now supports OAuth authorization to the Solace broker. Add several configuration properties to allow for a Credentials Grant from the configured IDP.
|
2.6.0 |
| DATAGO-75127 |
Secure connections to IBM MQ can now be configured via Spring’s SSL Bundles. SSL Bundles are a new way of defining SSL properties in Spring configuration. More information is available in Spring documentation: [Securing Spring Boot Applications With SSL|https://spring.io/blog/2023/06/07/securing-spring-boot-applications-with-ssl]
|
2.3.0 |
| DATAGO-77045 |
Upgrade connector base image to Eclipse Temurin 17.0.11_9-jre-alpine.
|
2.3.0 |
The following vulnerabilities have been resolved in the Solace MicroIntegration for IBMMQ for
release 2.14.0 and earlier releases.
| Resolved in Version | Severity (CVSS v3 Score) | Vulnerability ID | Solace Reference Number | Affected Products | Description |
|---|---|---|---|---|---|
| 2.14.0 | CVSS v3: 7.5 (HIGH) | DATAGO-137948 | JAR |
Improper Handling of Case Sensitivity vulnerability in LockOutRealm in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Older unsupported versions may also be affected. Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.
|
|
| 2.14.0 | CVSS v3: 7.5 (HIGH) | DATAGO-137948 | JAR |
Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117. Older, unsupported versions may also be affected. Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.
|
|
| 2.14.0 | CVSS v3: 9.1 (CRITICAL) | DATAGO-137948 | JAR |
Improper Authorization vulnerability when multiple method constraints define an HTTP method for the same extension in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.
|
|
| 2.14.0 | CVSS v3: 9.8 (CRITICAL) | DATAGO-137948 | JAR |
Improper Input Validation vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 10.0.0-M1 through 10.0.27. Older, end of support versions may also be affected. Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.
|
|
| 2.14.0 | CVSS v3: 7.3 (HIGH) | DATAGO-137948 | JAR |
Exposure of HTTP Authentication Header to unexpected hosts during WebSocket authentication vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.2 through 9.0.117, from 8.5.24 through 8.5.100, from 7.0.83 through 7.0.109. Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118, which fix the issue.
|
|
| 2.14.0 | CVSS v3: 9.8 (CRITICAL) | DATAGO-137948 | JAR |
DEPRECATED: Authentication Bypass Issues vulnerability in digest authentication in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from before 7.0.0. Older unsupported versions any also be affect Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.
|
|
| 2.14.0 | CVSS v3: 9.8 (CRITICAL) | DATAGO-139205 | JAR |
A flaw was found in gnutls. Servers configured with RSA-PSK (Rivest–Shamir–Adleman – Pre-Shared Key) wrongfully matched usernames containing a NUL character with truncated usernames. A remote attacker could exploit this by sending a specially crafted username, leading to an authentication bypass. This vulnerability allows an attacker to gain unauthorized access by circumventing the authentication process.
|
|
| 2.14.0 | CVSS v3: 7.4 (HIGH) | DATAGO-139205 | JAR |
A flaw was found in gnutls. This vulnerability occurs because gnutls performs case-sensitive comparisons of `nameConstraints` labels, specifically for `dNSName` (DNS) or `rfc822Name` (email) constraints within `excludedSubtrees` or `permittedSubtrees`. A remote attacker can exploit this by crafting a leaf certificate with casing differences in the Subject Alternative Name (SAN), leading to a policy bypass where a certificate that should be rejected is instead accepted. This could result in unauthorized access or information disclosure.
|
|
| 2.14.0 | CVSS v3: 9.1 (CRITICAL) | DATAGO-139205 | JAR |
A flaw in GnuTLS DTLS handshake parsing allows malformed fragments with zero length and non-zero offset, leading to an integer underflow during reassembly and resulting in an out-of-bounds read. This issue is remotely exploitable and may cause information disclosure or denial of service.
|
|
| 2.14.0 | CVSS v3: 8.1 (HIGH) | DATAGO-139625 | JAR |
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, SimpleTrustManagerFactory.engineGetTrustManagers() and related paths wrap any user-supplied plain X509TrustManager in X509TrustManagerWrapper, which extends X509ExtendedTrustManager but implements the 3-arg checkServerTrusted(chain, authType, SSLEngine) by discarding the SSLEngine and calling the 2-arg delegate. Because the object now IS an X509ExtendedTrustManager, neither SunJSSE's internal AbstractTrustManagerWrapper nor Netty's own OpenSslX509TrustManagerWrapper will re-wrap it to add endpoint-identification. Consequently, even though Netty 4.2 sets endpointIdentificationAlgorithm="HTTPS" by default, a client built with `SslContextBuilder.forClient().trustManager(somePlainX509TrustManager)` performs no hostname verification at all. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
|
|
| 2.14.0 | CVSS v3: 7.5 (HIGH) | DATAGO-139625 | JAR |
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, SimpleTrustManagerFactory.engineGetTrustManagers() and related paths wrap any user-supplied plain X509TrustManager in X509TrustManagerWrapper, which extends X509ExtendedTrustManager but implements the 3-arg checkServerTrusted(chain, authType, SSLEngine) by discarding the SSLEngine and calling the 2-arg delegate. Because the object now IS an X509ExtendedTrustManager, neither SunJSSE's internal AbstractTrustManagerWrapper nor Netty's own OpenSslX509TrustManagerWrapper will re-wrap it to add endpoint-identification. Consequently, even though Netty 4.2 sets endpointIdentificationAlgorithm="HTTPS" by default, a client built with `SslContextBuilder.forClient().trustManager(somePlainX509TrustManager)` performs no hostname verification at all. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
|
|
| 2.14.0 | CVSS v3: 7.5 (HIGH) | DATAGO-139625 | JAR |
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, SimpleTrustManagerFactory.engineGetTrustManagers() and related paths wrap any user-supplied plain X509TrustManager in X509TrustManagerWrapper, which extends X509ExtendedTrustManager but implements the 3-arg checkServerTrusted(chain, authType, SSLEngine) by discarding the SSLEngine and calling the 2-arg delegate. Because the object now IS an X509ExtendedTrustManager, neither SunJSSE's internal AbstractTrustManagerWrapper nor Netty's own OpenSslX509TrustManagerWrapper will re-wrap it to add endpoint-identification. Consequently, even though Netty 4.2 sets endpointIdentificationAlgorithm="HTTPS" by default, a client built with `SslContextBuilder.forClient().trustManager(somePlainX509TrustManager)` performs no hostname verification at all. Versions 4.1.135.Final and 4.2.15.Final patch the issue.
|
|
| 2.14.0 | CVSS v3: 7.5 (HIGH) | DATAGO-135763 | JAR |
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Lz4FrameDecoder allocates a ByteBuf of size decompressedLength (up to 32 MB per block) before LZ4 runs. A peer only needs a 21-byte header plus compressedLength payload bytes - 22 bytes if compressedLength == 1 - to force that allocation. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
|
|
| 2.14.0 | CVSS v3: 8.9 (HIGH) | DATAGO-134443 | JAR |
Covert timing channel vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA core on all (core modules). This vulnerability is associated with program files FrodoEngine.Java. This issue affects BC-JAVA: from 1.71 before 1.80.2, from 1.81 before 1.80.1, from 1.82 before 1.84.
|
|
| 2.14.0 | CVSS v3: 5.5 (MEDIUM) | DATAGO-134443 | JAR |
Improper neutralization of special elements used in an LDAP query ('LDAP injection') vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcprov on all (prov modules). This vulnerability is associated with program files LDAPStoreHelper. This issue affects BC-JAVA: from 1.74 before 1.80.2, from 1.81 before 1.81.1, from 1.82 before 1.84.
|
|
| 2.14.0 | CVSS v3: 7.5 (HIGH) | DATAGO-135788 | JAR |
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's DNS codec does not enforce RFC 1035 domain name constraints during either encoding or decoding. This creates a bidirectional attack surface: malicious DNS responses can exploit the decoder, and user-influenced hostnames can exploit the encoder. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
|
|
| 2.14.0 | CVSS v3: 7.5 (HIGH) | DATAGO-135407 | JAR |
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate encodings via ZlibDecoder, but is silently ignored when the content encoding is br (Brotli), zstd, or snappy. An attacker can bypass the configured decompression limit by sending a compressed payload with Content-Encoding: br instead of Content-Encoding: gzip, causing unbounded memory allocation and out-of-memory denial of service. The same vulnerability exists in DelegatingDecompressorFrameListener for HTTP/2 connections. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
|
|
| 2.14.0 | CVSS v3: 7.3 (HIGH) | DATAGO-135407 | JAR |
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll() once per response, including for 1xx. If the client pipelines GET then HEAD and the server sends 103, then 200 with GET body, then 200 for HEAD, the queue pairs HEAD with the first 200. The HEAD rule then skips reading that message’s body, so the GET entity bytes stay on the stream and the following 200 is parsed from the wrong offset. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
|
|
| 2.14.0 | CVSS v3: 5.8 (MEDIUM) | DATAGO-135407 | JAR |
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder strips a conflicting Content-Length header when a request carries both Transfer-Encoding: chunked and Content-Length, but only for HTTP/1.1 messages. The guard is absent for HTTP/1.0. An attacker that sends an HTTP/1.0 request with both headers causes Netty to decode the body as chunked while leaving Content-Length intact in the forwarded HttpMessage. Any downstream proxy or handler that trusts Content-Length over Transfer-Encoding will disagree on message boundaries, enabling request smuggling. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
|
|
| 2.14.0 | CVSS v3: 5.3 (MEDIUM) | DATAGO-135407 | JAR |
Netty allows request-line validation to be bypassed when a `DefaultHttpRequest` or `DefaultFullHttpRequest` is created first and its URI is later changed via `setUri()`. The constructors reject CRLF and whitespace characters that would break the start-line, but `setUri()` does not apply the same validation. `HttpRequestEncoder` and `RtspEncoder` then write the URI into the request line verbatim. If attacker-controlled input reaches `setUri()`, this enables CRLF injection and insertion of additional HTTP or RTSP requests, leading to HTTP request smuggling or desynchronization on the HTTP side and request injection on the RTSP side. This issue is fixed in versions 4.2.13.Final and 4.1.133.Final.
|
|
| 2.14.0 | CVSS v3: 6.5 (MEDIUM) | DATAGO-135407 | JAR |
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
|
|
| 2.14.0 | CVSS v3: 6.5 (MEDIUM) | DATAGO-135407 | JAR |
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's chunk size parser silently overflows int, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
|
|
| 2.13.0 | CVSS v3: 8.7 (HIGH) | DATAGO-126998 | JAR |
### Summary The non-blocking (async) JSON parser in `jackson-core` bypasses the `maxNumberLength` constraint (default: 1000 characters) defined in `StreamReadConstraints`. This allows an attacker to send JSON with arbitrarily long numbers through the async parser API, leading to excessive memory allocation and potential CPU exhaustion, resulting in a Denial of Service (DoS). The standard synchronous parser correctly enforces this limit, but the async parser fails to do so, creating an inconsistent enforcement policy. ### Details The root cause is that the async parsing path in `NonBlockingUtf8JsonParserBase` (and related classes) does not call the methods responsible for number length validation. - The number parsing methods (e.g., `_finishNumberIntegralPart`) accumulate digits into the `TextBuffer` without any length checks. - After parsing, they call `_valueComplete()`, which finalizes the token but does *not* call `resetInt()` or `resetFloat()`. - The `resetInt()`/`resetFloat()` methods in `ParserBase` are where the `validateIntegerLength()` and `validateFPLength()` checks are performed. - Because this validation step is skipped, the `maxNumberLength` constraint is never enforced in the async code path. ### PoC The following JUnit 5 test demonstrates the vulnerability. It shows that the async parser accepts a 5,000-digit number, whereas the limit should be 1,000. ```j
|
|
| 2.12.0 | CVSS v3: 8.2 (HIGH) | DATAGO-129613 | JAR |
Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under a specific path, already configured for a Health Group additional path. This issue affects Spring Boot: from 4.0 before 4.0.3, from 3.5 before 3.5.11, from 3.4 before 3.4.15. This CVE is similar but not equivalent to CVE-2026-22733, as the conditions for exploit and vulnerable versions are different.
|
|
| 2.12.0 | CVSS v3: 8.2 (HIGH) | DATAGO-129613 | JAR |
Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under the path used by the CloudFoundry Actuator endpoints. This issue affects Spring Security: from 4.0.0 through 4.0.3, from 3.5.0 through 3.5.11, from 3.4.0 through 3.4.14, from 3.3.0 through 3.3.17, from 2.7.0 through 2.7.31.
|
|
| 2.11.1 | CVSS v3: 6.1 (MEDIUM) | DATAGO-123751 | JAR |
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Ja
|
|
| 2.11.1 | CVSS v3: 7.4 (HIGH) | DATAGO-123751 | JAR |
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: AWT, JavaFX). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and
|
|
| 2.11.1 | CVSS v3: 6.5 | netty-codec-http-4.1.128.Final.jar | DATAGO-123652 | JAR |
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the "io.netty.handler.codec.http.HttpRequestEncoder" has a CRLF injection with the request URI when constructing a request. This leads to request smuggling when "HttpRequestEncoder" is used without proper sanitization of the URI. Any application / framework using "HttpRequestEncoder" can be subject to be abused to perform request smuggling using CRLF injection. Versions 4.1.129.Final and 4.2.8.Final fix the issue.
|
| 2.11.1 | CVSS v3: 7.8 (HIGH) | DATAGO-122787 | JAR |
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.26 to 1.6.53, there is an integer truncation in the libpng simplified write API functions png_write_image_16bit and png_write_image_8bit causes heap buffer over-read when the caller provides a negative row stride (for bottom-up image layouts) or a stride exceeding 65535 bytes. The bug was introduced in libpng 1.6.26 (October 2016) by casts added to silence compiler warnings on 16-bit systems. This vulnerability is fixed in 1.6.54.
|
|
| 2.11.1 | CVSS v3: 8.2 (HIGH) | DATAGO-109708 | JAR |
A flaw was found in GnuTLS. A double-free vulnerability exists in GnuTLS due to incorrect ownership handling in the export logic of Subject Alternative Name (SAN) entries containing an otherName. If the type-id OID is invalid or malformed, GnuTLS will call asn1_delete_structure() on an ASN.1 node it does not own, leading to a double-free condition when the parent function or caller later attempts to free the same structure. This vulnerability can be triggered using only public GnuTLS APIs and may result in denial of service or memory corruption, depending on allocator behavior.
|
|
| 2.11.1 | CVSS v3: 6.9 | logback-core-1.5.18.jar | DATAGO-116834 | JAR |
ACE vulnerability in conditional configuration file processing by QOS.CH logback-core up to and including version 1.5.18 in Java applications, allows an attacker to execute arbitrary code by compromising an existing logback configuration file or by injecting an environment variable before program execution.
|
| 2.11.1 | CVSS v3: 5.3 (MEDIUM) | DATAGO-123188 | Image |
Issue summary: A type confusion vulnerability exists in the signature verification of signed PKCS#7 data where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing malformed PKCS#7 data. Impact summary: An application performing signature verification of PKCS#7 data or calling directly the PKCS7_digest_from_attributes() function can be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service. The function PKCS7_digest_from_attributes() accesses the message digest attribute value without validating its type. When the type is not V_ASN1_OCTET_STRING, this results in accessing invalid memory through the ASN1_TYPE union, causing a crash. Exploiting this vulnerability requires an attacker to provide a malformed signed PKCS#7 to an application that verifies it. The impact of the exploit is just a Denial of Service, the PKCS7 API is legacy and applications should be using the CMS API instead. For these reasons the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#7 parsing implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.
|
|
| 2.11.1 | CVSS v3: 9.8 (CRITICAL) | DATAGO-123188 | Image |
Issue summary: Parsing CMS AuthEnvelopedData message with maliciously crafted AEAD parameters can trigger a stack buffer overflow. Impact summary: A stack buffer overflow may lead to a crash, causing Denial of Service, or potentially remote code execution. When parsing CMS AuthEnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying that its length fits the destination. An attacker can supply a crafted CMS message with an oversized IV, causing a stack-based out-of-bounds write before any authentication or tag verification occurs. Applications and services that parse untrusted CMS or PKCS#7 content using AEAD ciphers (e.g., S/MIME AuthEnvelopedData with AES-GCM) are vulnerable. Because the overflow occurs prior to authentication, no valid key material is required to trigger it. While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.
|
|
| 2.10.1 | CVSS v3: 6.5 (MEDIUM) | DATAGO-120097 | JAR |
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling when `HttpRequestEncoder` is used without proper sanitization of the URI. Any application / framework using `HttpRequestEncoder` can be subject to be abused to perform request smuggling using CRLF injection. Versions 4.1.129.Final and 4.2.8.Final fix the issue.
|
|
| 2.10.1 | CVSS v3: 5.3 | tomcat-embed-core-10.1.46.jar | DATAGO-116515 | JAR |
Improper Resource Shutdown or Release vulnerability in Apache Tomcat.
|
| 2.9.25 | CVSS v3: 6.9 | logback-core-1.5.18.jar | DATAGO-116525 | JAR |
ACE vulnerability in conditional configuration file processing by QOS.CH logback-core up to and including version 1.5.18 in Java applications, allows an attacker to execute arbitrary code by compromising an existing logback configuration file or by injecting an environment variable before program execution.
|
| 2.9.25 | CVSS v3: 5.3 | tomcat-embed-core-10.1.46.jar | DATAGO-116515 | JAR |
Improper Resource Shutdown or Release vulnerability in Apache Tomcat.
|
| 2.9.22 | CVSS v3: 7.5 | spring-security-core-6.5.3.jar | DATAGO-111875 | JAR |
Spring Security authorization bypass for method security annotations on parameterized types
|
| 2.9.22 | CVSS v3: 5.8 | nimbus-jose-jwt-9.37.3.jar | DATAGO-106713 | JAR |
Connect2id Nimbus JOSE + JWT before 10.0.2 allows a remote attacker to cause a denial of service via a deeply nested JSON object supplied in a JWT claim set, because of uncontrolled recursion. NOTE: this is independent of the Gson 2.11.0 issue because the Connect2id product could have checked the JSON object nesting depth, regardless of what limits (if any) were imposed by Gson.
|
| 2.9.22 | CVSS v3: 7.5 | netty-codec-4.1.124.Final.jar | DATAGO-110853 | JAR |
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In netty-codec-compression versions 4.1.124.Final and below, and netty-codec versions 4.2.4.Final and below, when supplied with specially crafted input, BrotliDecoder and certain other decompression decoders will allocate a large number of reachable byte buffers, which can lead to denial of service. BrotliDecoder.decompress has no limit in how often it calls pull, decompressing data 64K bytes at a time. The buffers are saved in the output list, and remain reachable until OOM is hit. This is fixed in versions 4.1.125.Final of netty-codec and 4.2.5.Final of netty-codec-compression.
|
| 2.9.22 | CVSS v3: 7.5 | spring-core-6.2.10.jar | DATAGO-111876 | JAR |
The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue if such annotations are used for authorization decisions.
|
| 2.9.19 | CVSS v3: 7.5 | tomcat-embed-core-10.1.43.jar | DATAGO-109131 | JAR |
Improper Resource Shutdown or Release vulnerability in Apache Tomcat made Tomcat vulnerable to the made you reset attack.
|
| 2.9.19 | CVSS v3: 5.9 | spring-beans-6.2.9.jar | DATAGO-109374 | JAR |
Spring Framework MVC applications can be vulnerable to a “Path Traversal Vulnerability” when deployed on a non-compliant Servlet container.
|
| 2.9.19 | CVSS v3: 5.9 | spring-webmvc-6.2.9.jar | DATAGO-109375 | JAR |
Spring Framework MVC applications can be vulnerable to a “Path Traversal Vulnerability” when deployed on a non-compliant Servlet container.
|
| 2.9.15 | CVSS v3: 5.3 | commons-lang3-3.17.0.jar | DATAGO-106220 | JAR |
Uncontrolled Recursion vulnerability in Apache Commons Lang.
|
| 2.9.12 | CVSS v3: 6.5 | tomcat-embed-core-10.1.41.jar | DATAGO-104376 | JAR |
Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat.
|
| 2.9.12 | CVSS v3: 6.5 | spring-web-6.2.7.jar | DATAGO-104295 | JAR |
In Spring Framework, versions 6.0.x as of 6.0.5, versions 6.1.x and 6.2.x, an application is vulnerable to a reflected file download (RFD) attack when it sets a “Content-Disposition” header with a non-ASCII charset, where the filename attribute is derived from user-supplied input.
|
| 2.9.8 | CVSS v3: 3.1 | spring-context-6.2.6.jar | DATAGO-102515 | JAR |
CVE-2024-38820 ensured Locale-independent, lowercase conversion for both the configured disallowedFields patterns and for request parameter names. However, there are still cases where it is possible to bypass the disallowedFields checks.
|
| 2.9.8 | CVSS v3: 9.1 | spring-security-core-6.4.5.jar | DATAGO-102683 | JAR |
Spring Security Aspects may not correctly locate method security annotations on private methods. This can cause an authorization bypass.
|
| 2.9.5 | CVSS v3: 7.5 (HIGH) | DATAGO-100430 | Image |
In SQLite 3.44.0 through 3.49.0 before 3.49.1, the concat_ws() SQL function can cause memory to be written beyond the end of a malloc-allocated buffer. If the separator argument is attacker-controlled and has a large string (e.g., 2MB or more), an integer overflow occurs in calculating the size of the result buffer, and thus malloc may not allocate enough memory.
|
|
| 2.9.5 | CVSS v3: 7.5 | httpclient5-5.4.2.jar | DATAGO-99888 | JAR |
A bug in PSL validation logic in Apache HttpClient 5.4.x disables domain checks, affecting cookie management and host name verification. Discovered by the Apache HttpClient team. Fixed in the 5.4.3 release
|
| 2.9.2 | CVSS v3: 7.5 (HIGH) | DATAGO-96240 | Image |
Netty, an asynchronous, event-driven network application framework, has a vulnerability starting in version 4.1.91.Final and prior to version 4.1.118.Final. When a special crafted packet is received via SslHandler it doesn\'t correctly handle validation of such a packet in all cases which can lead to a native crash. Version 4.1.118.Final contains a patch. As workaround its possible to either disable the usage of the native SSLEngine or change the code manually.
|
|
| 2.9.2 | CVSS v3: 5.3 | spring-security-core-6.4.3.jar | DATAGO-97533 | JAR |
Spring Security 6.4.0 through 6.4.3 may not correctly locate method security annotations on parameterized types or methods. This may cause an authorization bypass. Your application may be affected by this if the following are true:
|
| 2.9.2 | CVSS v3: 7.4 | spring-security-crypto-6.4.3.jar | DATAGO-97534 | JAR |
BCryptPasswordEncoder.matches(CharSequence,String) will incorrectly return true for passwords larger than 72 characters as long as the first 72 characters are the same.
|
| 2.9.0 | CVSS v3: 5.5 | netty-common-4.1.117.Final.jar | DATAGO-94912 | JAR |
Netty, an asynchronous, event-driven network application framework, has a vulnerability in versions up to and including 4.1.118.Final. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crash. A similar issue was previously reported as CVE-2024-47535. This issue was fixed, but the fix was incomplete in that null-bytes were not counted against the input limit. Commit d1fbda62d3a47835d3fb35db8bd42ecc205a5386 contains an updated fix.
|
| 2.9.0 | CVSS v3: 7.5 | json-smart-2.5.1.jar | DATAGO-94030 | JAR |
A security issue was found in Netplex Json-smart 2.5.0 through 2.5.1. When loading a specially crafted JSON input, containing a large number of ’{’, a stack exhaustion can be trigger, which could allow an attacker to cause a Denial of Service (DoS). This issue exists because of an incomplete fix for CVE-2023-1370.
|
| 2.9.0 | CVSS v3: 7.5 | netty-handler-4.1.117.Final.jar | DATAGO-94911 | JAR |
Netty, an asynchronous, event-driven network application framework, has a vulnerability starting in version 4.1.91.Final and prior to version 4.1.118.Final. When a special crafted packet is received via SslHandler it doesn't correctly handle validation of such a packet in all cases which can lead to a native crash. Version 4.1.118.Final contains a patch. As workaround its possible to either disable the usage of the native SSLEngine or change the code manually.
|
| 2.8.2 | CVSS v3: 4.4 | logback-core-1.5.12.jar | DATAGO-91429 | JAR |
ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core
|
| 2.8.2 | CVSS v3: 6.6 | logback-classic-1.5.12.jar | DATAGO-91430 | JAR |
ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core
|
| 2.7.0 | CVSS v3: 5.3 | spring-webmvc-6.1.15.jar | DATAGO-91495 | JAR |
Spring MVC controller methods with an @RequestBody byte[] method parameter are vulnerable to a DoS attack.
|
| 2.7.0 | CVSS v3: 9.8 | tomcat-embed-core-10.1.33.jar | DATAGO-91084 | JAR |
Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case insensitive file systems when the default servlet is enabled for write (non-default configuration).
|
| 2.6.11 | CVSS v3: 5.5 | netty-common-4.1.114.Final.jar | DATAGO-89346 | JAR |
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crashes. This vulnerability is fixed in 4.1.115.
|
| 2.6.11 | CVSS v3: 7.5 | spring-webmvc-6.1.13.jar | DATAGO-87570 | JAR |
Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running.
|
| 2.6.11 | CVSS v3: 7.5 | tomcat-embed-core-10.1.24.jar | DATAGO-79943 | JAR |
Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed.
|
| 2.6.11 | CVSS v3: 4.8 | spring-security-core-6.3.4.jar | DATAGO-89424 | JAR |
The usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in authorization rules not working properly.
|
| 2.6.9 | CVSS v3: 7.5 | spring-webmvc-6.1.13.jar | DATAGO-87571 | JAR |
Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running.
|
| 2.6.9 | CVSS v3: 9.1 | spring-security-web-6.3.3.jar | DATAGO-87581 | JAR |
Spring WebFlux applications that have Spring Security authorization rules on static resources can be bypassed under certain circumstances.
|
| 2.6.8 | CVSS v3: 7.5 | spring-webmvc-6.1.12.jar | DATAGO-84986 | JAR |
Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running.
|
| 2.6.8 | CVSS v3: 7.5 (HIGH) | DATAGO-85256 | Image |
### Summary When parsing unknown fields in the Protobuf Java Lite and Full library, a maliciously crafted message can cause a StackOverflow error and lead to a program crash. Reporter: Alexis Challande, Trail of Bits Ecosystem Security Team
|
|
| 2.6.4 | CVSS v3: 6.5 | spring-security-config-6.3.1.jar | DATAGO-83112 | JAR |
Missing Authorization When Using @AuthorizeReturnObject in Spring Security 6.3.0 and 6.3.1 allows attacker to render security annotations inaffective.
|
| 2.6.4 | CVSS v3: 6.5 | spring-web-6.1.11.jar | DATAGO-82871 | JAR |
Spring Framework is vulnerable DoS via conditional HTTP request. Applications that parse ETags from "If-Match" or "If-None-Match" request headers are vulnerable to Denial of Service attack. All versions before 5.3.38, 6.0.23 and 6.1.12 are affected.
|
| 2.6.4 | CVSS v3: 5.5 (MEDIUM) | DATAGO-78433 | JAR |
A use-after-free vulnerability was discovered in xasprintf function in xfuncs_printf.c:344 in BusyBox v.1.36.1.
|
|
| 2.6.0 | CVSS v3: 5.5 | tomcat-embed-core-10.1.24.jar | DATAGO-79942 | JAR |
Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed.
|
| 2.6.0 | CVSS v3: 7.5 (HIGH) | DATAGO-79942 | Image |
Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.0-M1 through 9.0.89. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25 or 9.0.90, which fixes the issue.
|
|
| 2.3.0 | CVSS v3: 5.9 | bcprov-jdk18on-1.77.jar | DATAGO-75569 | JAR |
BouncyCastle before version 1.78 is vulnerable to timing side-channel attacks against RSA decryption (both PKCS#1v1.5 and OAEP).
|
| 2.3.0 | CVSS v3: 5.3 (MODERATE) | DATAGO-76734 | Image |
An issue was discovered in ECCurve.java and ECCurve.cs in Bouncy Castle Java (BC Java) before 1.78, BC Java LTS before 2.73.6, BC-FJA before 1.0.2.5, and BC C# .Net before 2.3.1. Importing an EC certificate with crafted F2m parameters can lead to excessive CPU consumption during the evaluation of the curve parameters.
|
|
| 2.3.0 | CVSS v3: 5.5 (MEDIUM) | DATAGO-74149 | JAR |
An issue was discovered in the FIPS Java API of Bouncy Castle BC-FJA before 1.0.2.4. Changes to the JVM garbage collector in Java 13 and later trigger an issue in the BC-FJA FIPS modules where it is possible for temporary keys used by the module to be zeroed out while still in use by the module, resulting in errors or potential information loss. NOTE: FIPS compliant users are unaffected because the FIPS certification is only for Java 7, 8, and 11.
|
|
| 2.3.0 | CVSS v3: 8.2 | spring-security-core-6.2.2.jar | DATAGO-76734 | JAR |
In Spring Security, versions 5.7.x prior to 5.7.12, 5.8.x prior to
5.8.11, versions 6.0.x prior to 6.0.9, versions 6.1.x prior to 6.1.8,
versions 6.2.x prior to 6.2.3, an application is possible vulnerable to
broken access control when it directly uses the AuthenticatedVoter#vote passing a null Authentication parameter.
|
| 2.3.0 | CVSS v3: 7.5 (HIGH) | DATAGO-73977 | JAR |
libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed.
|
|
| 2.1.7 | CVSS v3: 8.1 | spring-web-6.1.5.jar | DATAGO-75012 | JAR |
Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect attack or to a SSRF attack if the URL is used after passing validation checks. This is the same as CVE-2024-22259 and CVE-2024-22243, but with different input.
|
For more details, refer to the Release Notes page for the individual
Solace Messaging APIs.