Category

Java

Security vulnerabilities and automated fixes for java issues

6 posts found

critical8 min

How command injection happens in Java Runtime.exec() and how to fix it

A critical OS command injection vulnerability (CWE-78) was discovered in `page-object/sample-application/src/main/java/com/iluwatar/pageobject/App.java` at line 81, where a single-string invocation of `Runtime.getRuntime().exec()` passed a concatenated command directly to the Windows shell, allowing an attacker who controls the `applicationFile` value to chain arbitrary OS commands. The fix replaces this dangerous pattern with a properly constructed `ProcessBuilder` that uses absolute executable

#command-injection#java#cwe-78+4 more
O
orbisai0security
Jun 14, 2026
high5 min

How Spring Boot EndpointRequest.to() security bypass happens in Java Spring Boot and how to fix it

CVE-2025-22235 is a high-severity vulnerability in Spring Boot where `EndpointRequest.to()` creates an incorrect request matcher when an actuator endpoint is not exposed, potentially allowing unauthorized access to protected endpoints. The fix upgrades Spring Boot from 3.4.4 to 3.4.5 in the anti-corruption-layer service's `pom.xml`. This is particularly dangerous because actuator endpoints can expose sensitive operational data and administrative functions.

#security#spring-boot#java+4 more
O
orbisai0security
Jun 7, 2026
critical8 min

How command injection happens in Java Runtime.exec() and how to fix it

A critical command injection vulnerability was discovered in `page-object/src/main/java/com/iluwatar/pageobject/App.java` where `Runtime.getRuntime().exec()` was used to launch a file using `cmd.exe` with a directly concatenated file path. An attacker who could control the `applicationFile` variable could inject shell metacharacters to execute arbitrary system commands with the privileges of the running Java process. The fix replaces the unsafe `exec()` call with a properly tokenized `ProcessBui

#command-injection#java#runtime-exec+4 more
O
orbisai0security
Jun 6, 2026
high8 min

Unrevocable Backdoor: Fixing Token Invalidation in PersistentTokenBasedRememberMeServices

A high-severity security flaw in Halo's `PersistentTokenBasedRememberMeServices` allowed stolen remember-me tokens to remain permanently valid — even after expiration was detected. The vulnerable implementation explicitly documented that expired tokens would *not* be removed from storage, meaning an attacker who stole a cookie could retain access indefinitely. The fix ensures expired tokens are immediately deleted from storage the moment they are detected, closing a persistent backdoor.

#java#spring-security#remember-me+4 more
O
orbisai0security
Jun 1, 2026
low7 min

SQL Injection via String Formatting: How Parameterized Queries Save the Day

A database query in DBeaver's Altibase extension was constructing SQL statements using `String.format()` with user-controlled input, creating a classic SQL injection vulnerability. The fix replaces the unsafe string interpolation with parameterized queries using `PreparedStatement`, ensuring user input is always treated as data rather than executable SQL. This type of vulnerability is deceptively simple to introduce but equally simple to fix once you know what to look for.

#sql-injection#java#jdbc+4 more
O
orbisai0security
May 28, 2026
critical8 min

Decrypted Secrets in Plain Sight: Fixing AES Log Exposure in Java

A critical vulnerability was discovered in AESEncryption.java where decrypted plaintext was being printed directly to standard output, exposing sensitive data to anyone with access to application logs. This fix eliminates the dangerous logging pattern that completely undermined the purpose of AES encryption. Understanding this vulnerability is essential for any developer building applications that handle sensitive encrypted data.

#java#aes#encryption+4 more
O
orbisai0security
Apr 23, 2026