Blog post Authors
Josh Cummings

Josh Cummings

Josh has been a software engineer for over 15 years building enterprise applications across multiple industries. He has long been passionate about application security and loves opportunities to mentor and to learn from others about security awareness.

When Josh isn't hacking away at code, he is either running, playing basketball, camping, or reading a Brandon Sanderson novel.

Recent Blog posts by Josh Cummings

CVE-2019-11272: Spring Security 4.2.13 Released

Releases | June 19, 2019 | ...

We have released Spring Security 4.2.13 to address CVE-2019-11272: PlaintextPasswordEncoder authenticates encoded passwords that are null.

Users are encouraged to update immediately.

With Spring Boot, you can override the Spring Security version in Maven like so:

<properties>
    <spring-security.version>4.2.13.RELEASE</spring-security.version>
</properties>

Or in Gradle like so:

ext['spring-security.version'] = '4.2.13.RELEASE'

Note that users of Spring Security 5+ are not affected by this vulnerability.

Read more

CVE-2019-11269: Spring Security OAuth 2.3.6, 2.2.5, 2.1.5, 2.0.18 Released

Releases | May 30, 2019 | ...

We have released Spring Security OAuth 2.3.6, 2.2.5, 2.1.5 and 2.0.18 to address CVE-2019-11269: Open Redirector in spring-security-oauth2. Please review the information in the CVE report and upgrade immediately.

For additional changes included in each release, please refer to:

NOTE: For users of Spring Boot 1.5.x and Spring IO Platform Cairo, it is highly recommended to override the spring-security-oauth version to the latest version containing the fix for the CVE. Please see the Mitigation section in the CVE report…

Read more

Spring Security 5.2.0.M2 Released

Releases | April 16, 2019 | ...

On behalf of the community, I’m pleased to announce the release of Spring Security 5.2.0.M2! This release includes 100+ updates. You can find the highlights below:

OAuth 2.0

gh-6446 - Client Support for PKCE

PKCE isn’t just for native or browser-based apps, but for any time we want to have a public client. Spring Security 5.2 introduces a secure way for backends to authenticate as public clients.

gh-5350 - OpenID Connect RP-Initiated Logout
gh-5465 - Ability to use symmetric keys with JwtDecoder
gh-5397 - Ability for NimbusReactiveJwtDecoder to take a custom processor
gh-6513 & gh-5200
Read more

Spring Security OAuth2 Auto-config 2.0.6 & 2.1.0 Released

Releases | October 31, 2018 | ...

I’m pleased to announce on behalf of the community Spring Security OAuth2 Boot Auto-config 2.0.6 and 2.1.0.

Both releases primarily deliver bug fixes and dependency version updates along with some minor improvements. Of particular note is that these align with recent releases of Spring Boot.

Note that for 2.1.0, gaps in configuration of keys between Resource Server and Authorization Server were brought into parity. Now, it’s possible on the Authorization Server side to configure a single key:

security:
  oauth2:
    authorization:
      jwt:
        key-value: ${PRIVATE_KEY}

similar to…

Read more

Spring Security 5.1.0.RC2 Released

Releases | September 10, 2018 | ...

On behalf of the community I am pleased to announce the release of Spring Security 5.1.0.RC2. This release comes with 50+ tickets closed.

As always we look forward to hearing your feedback! You can find the highlights below:

Table of Contents

Read more

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all