Security vulnerabilities and automated fixes for java issues
6 posts found
A critical OS command injection vulnerability (CWE-78) was discovered in `page-object/sample-application/src/main/java/com/iluwatar/pageobject/App.java` at line 81, where a single-string invocation of `Runtime.getRuntime().exec()` passed a concatenated command directly to the Windows shell, allowing an attacker who controls the `applicationFile` value to chain arbitrary OS commands. The fix replaces this dangerous pattern with a properly constructed `ProcessBuilder` that uses absolute executable
CVE-2025-22235 is a high-severity vulnerability in Spring Boot where `EndpointRequest.to()` creates an incorrect request matcher when an actuator endpoint is not exposed, potentially allowing unauthorized access to protected endpoints. The fix upgrades Spring Boot from 3.4.4 to 3.4.5 in the anti-corruption-layer service's `pom.xml`. This is particularly dangerous because actuator endpoints can expose sensitive operational data and administrative functions.
A critical command injection vulnerability was discovered in `page-object/src/main/java/com/iluwatar/pageobject/App.java` where `Runtime.getRuntime().exec()` was used to launch a file using `cmd.exe` with a directly concatenated file path. An attacker who could control the `applicationFile` variable could inject shell metacharacters to execute arbitrary system commands with the privileges of the running Java process. The fix replaces the unsafe `exec()` call with a properly tokenized `ProcessBui
A high-severity security flaw in Halo's `PersistentTokenBasedRememberMeServices` allowed stolen remember-me tokens to remain permanently valid — even after expiration was detected. The vulnerable implementation explicitly documented that expired tokens would *not* be removed from storage, meaning an attacker who stole a cookie could retain access indefinitely. The fix ensures expired tokens are immediately deleted from storage the moment they are detected, closing a persistent backdoor.
A database query in DBeaver's Altibase extension was constructing SQL statements using `String.format()` with user-controlled input, creating a classic SQL injection vulnerability. The fix replaces the unsafe string interpolation with parameterized queries using `PreparedStatement`, ensuring user input is always treated as data rather than executable SQL. This type of vulnerability is deceptively simple to introduce but equally simple to fix once you know what to look for.
A critical vulnerability was discovered in AESEncryption.java where decrypted plaintext was being printed directly to standard output, exposing sensitive data to anyone with access to application logs. This fix eliminates the dangerous logging pattern that completely undermined the purpose of AES encryption. Understanding this vulnerability is essential for any developer building applications that handle sensitive encrypted data.