November 17, 2023 - To address these limitations, in this paper, we propose VulLibMiner, the first to identify vulnerable libraries from textual descriptions of both vulnerabilities and libraries, together with VulLib, a Java vulnerability dataset with their affected libraries. VulLibMiner consists of a TF-IDF ...

May 27, 2019 - We’ll look at the Jackson, Spring Framework and Jetty libraries in more detail to see how their vulns specifically are distributed across releases; we’ll also look at the severity and the types of vulnerabilities in each of the libraries.

► Introduction ► Top Java Vulnerabilities ► Unpatched Libraries ► Application Misconfiguration: Exposed Servelet ► Application Misconfiguration: Excessive Permissions ► Application Misconfiguration: Global Error Handling Disabled ...

This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 5.9 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N). ... Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: 2D).

May 21, 2020 - Myths and Mythos: An AI Vulnerability Research FAQ · April 14, 2026 | 6 min read · Anthropic’s Claude Mythos is Just the Beginning · April 10, 2026 | 3 min read · US Gov: Iran-Linked Actors Targeting Critical Infrastructure PLCs · April 8, 2026 | 2 min read ·

February 21, 2023 - Vulnerable libraries are software components or modules that contain known security vulnerabilities that can be exploited by attackers.

January 9, 2024 - By default, SAP Hybris exposes the vjdbc-servlet that is vulnerable to an RCE caused by Java deserialization – CVE-2019-0344 (and which had other serious security issues in the past as well). A test for this vulnerability was added to Acunetix in September 2019. Unfortunately, it looks like SAP fixed only their internal version of VJDBC, and therefore all other software that depends on this library is vulnerable and its creators are probably unaware of the problem. I was unable to report vulnerabilities in these libraries.

July 7, 2023 - MergeBase manages a public database of over 40,000 common vulnerabilities and exposures (CVEs), and we’ve put together a list of the top 10 Java CVEs based on risk level and how often the CVE is searched online.

August 29, 2024 - Spring released an official statement about the vulnerability, which clarifies that the following conditions need to be met to be vulnerable, according to the current understanding of the vulnerability: ... The exploitation relies on using “Data Binding” (org.springframework.web.bind.WebDataBinder) in requests that make use of Plain Old Java Objects (POJO) in the method signature:

This information is intended for developers with app(s) that contain one or more Java or JavaScript libraries with known security issues (e.g., common vulnerabilities and exposures - CVEs). Although unintended by the app developer, including such vulnerable libraries in an app can put app users ...

April 26, 2024 - Also why a lot of enterprise software limits the number of external libraries… that doesn’t make it more secure… but it makes it far less expensive to maintain. ... CVE-2023-35116 caused massive issues for my team, since we use Jackson in pretty much everything, and had to deal with the fallout of an absolutely bullshit "vulnerability" impacting every piece of code we maintain.

March 25, 2025 - “We’ve built Chainguard Libraries, where we go to the source code for these Java libraries. We build them in our SLSA Level 2 build environment, and we ensure that there is no compromise of that code as we build it into a package that developers can then take and use in their environment.” · That view dovetails with Chainguard’s argument about container images — that the primary packages themselves don’t have CVEs in them. The vulnerabilities are in the operating systems they’re built on top of.

August 22, 2022 - For example, Log4Shell, the remote code execution flaw affecting the Apache Log4j logging library was made possible by Java deserialization. In November 2016, a ransomware attack compromised more than two thousand computers run by the San Francisco Municipal Transportation Agency (SFMTA) via an Apache Commons Collections Deserialization Vulnerability.

July 30, 2017 - A maven plugin can check you Java libaries for known vulnerabilities. It is called dependency-check-maven. The OWASP Dependency Check utility uses NIST’s National Vulnerability Database (NVD) to identify the vulnerable dependencies, so the list is always up-to-date. https://blog.lanyonm....

March 2, 2016 - The paper “The Unfortunate Reality ... and frameworks. 113 million downloads analyzed for the 31 most popular Java frameworks/libs show that 26% had known vulnerabilities....

Welcome to the new Snyk Vulnerability Database experience! We've upgraded the information available here with data you may have seen previously within Snyk Advisor. For a more comprehensive update, please refer to our product updates page (opens in a new tab) . Bridge API to connect with existing Java APIs.

March 30, 2021 - Cloud analytics solution providing actionable intelligence from production Java runtime data. Learn how our Vulnerability Detection and Code Inventory tools can help you save time and boost DevOps productivity.

November 20, 2025 - For that reason, I'll show you a different Gradle plugin to scan for vulnerabilities. [ Learn the benefits of modernizing your network in the eBook Network automation for everyone. ] The folks from Sonatype created a Gradle plugin to scan your project called Scan Gradle Plugin, which is baked in by the OSS Index catalog. By now, you can probably see where this is going. By having this check within your Java compilation toolset, your continuous integration tool can run this scan every time the code changes, reporting any anomalies back to you before the code is deployed into production.

1 day ago - A large number of servers on the Internet are at risk because of the Log4Shell cyber attack on the widely used Java library Log4j. Individual EASY SOFTWARE products are unfortunately also affected.

Any kind of dynamic classpath manipulation is very dangerous when upgrading dependencies because you might not find out about broken dependencies until runtime hits you with a ClassNotFoundException. It can get even worse, as libraries might be incompatible with one another leading to a fatal situation: