Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/20143?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/20143?format=api", "purl": "pkg:maven/org.springframework.security/spring-security-core@3.0.8.RELEASE", "type": "maven", "namespace": "org.springframework.security", "name": "spring-security-core", "version": "3.0.8.RELEASE", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "5.7.14", "latest_non_vulnerable_version": "6.5.4", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/4985?format=api", "vulnerability_id": "VCID-8jtc-ehgu-x3c5", "summary": "When using the CAS Proxy ticket authentication from Spring Security 3.1 to 3.2.4 a malicious CAS Service could trick another CAS Service into authenticating a proxy ticket that was not associated. This is due to the fact that the proxy ticket authentication uses the information from the HttpServletRequest which is populated based upon untrusted information within the HTTP request. This means if there are access control restrictions on which CAS services can authenticate to one another, those restrictions can be bypassed. If users are not using CAS Proxy tickets and not basing access control decisions based upon the CAS Service, then there is no impact to users.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2014-3527.json", "reference_id": "", "reference_type": "", "scores": [], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2014-3527.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2014-3527", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00359", "scoring_system": "epss", "scoring_elements": "0.58076", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00359", "scoring_system": "epss", "scoring_elements": "0.57957", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00359", "scoring_system": "epss", "scoring_elements": "0.58041", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00359", "scoring_system": "epss", "scoring_elements": "0.58063", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00359", "scoring_system": "epss", "scoring_elements": "0.58038", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00359", "scoring_system": "epss", "scoring_elements": "0.58092", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00359", "scoring_system": "epss", "scoring_elements": "0.58096", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00359", "scoring_system": "epss", "scoring_elements": "0.58112", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00359", "scoring_system": "epss", "scoring_elements": "0.58089", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00359", "scoring_system": "epss", "scoring_elements": "0.58068", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00359", "scoring_system": "epss", "scoring_elements": "0.58099", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00359", "scoring_system": "epss", "scoring_elements": "0.581", "published_at": "2026-04-18T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2014-3527" }, { "reference_url": "https://github.com/spring-projects/spring-security", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/spring-projects/spring-security" }, { "reference_url": "https://github.com/spring-projects/spring-security/commit/2cb99f079152ac05cee5c90457c7feb3bb2de55", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/spring-projects/spring-security/commit/2cb99f079152ac05cee5c90457c7feb3bb2de55" }, { "reference_url": "https://github.com/spring-projects/spring-security/commit/934937d9c1dc20c396b96c08310b72cfa627acb", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/spring-projects/spring-security/commit/934937d9c1dc20c396b96c08310b72cfa627acb" }, { "reference_url": "https://github.com/spring-projects/spring-security/issues/2907", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/spring-projects/spring-security/issues/2907" }, { "reference_url": "https://jira.spring.io/browse/SEC-2688", "reference_id": "", "reference_type": "", "scores": [], "url": "https://jira.spring.io/browse/SEC-2688" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2014-3527", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-3527" }, { "reference_url": "https://pivotal.io/security/cve-2014-3527", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://pivotal.io/security/cve-2014-3527" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=1131359", "reference_id": "1131359", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1131359" }, { "reference_url": "https://bugzilla.redhat.com/CVE-2014-3527", "reference_id": "CVE-2014-3527", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/CVE-2014-3527" }, { "reference_url": "http://www.gopivotal.com/security/cve-2014-3527", "reference_id": "CVE-2014-3527", "reference_type": "", "scores": [], "url": "http://www.gopivotal.com/security/cve-2014-3527" }, { "reference_url": "https://spring.io/blog/2014/08/15/cve-2014-3527-fixed-in-spring-security-3-2-5-and-3-1-7", "reference_id": "CVE-2014-3527-FIXED-IN-SPRING-SECURITY-3-2-5-AND-3-1-7", "reference_type": "", "scores": [], "url": "https://spring.io/blog/2014/08/15/cve-2014-3527-fixed-in-spring-security-3-2-5-and-3-1-7" }, { "reference_url": "https://github.com/advisories/GHSA-wmv4-5w76-vp9g", "reference_id": "GHSA-wmv4-5w76-vp9g", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-wmv4-5w76-vp9g" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/72799?format=api", "purl": "pkg:maven/org.springframework.security/spring-security-core@3.1.7", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@3.1.7" }, { "url": "http://public2.vulnerablecode.io/api/packages/159785?format=api", "purl": "pkg:maven/org.springframework.security/spring-security-core@3.1.7.RELEASE", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-cden-3spy-pyhz" }, { "vulnerability": "VCID-deuk-emca-3kgr" }, { "vulnerability": "VCID-dfs4-emmn-f3eb" }, { "vulnerability": "VCID-dwcq-d6nf-1ubn" }, { "vulnerability": "VCID-u6vb-w2bu-ykfk" }, { "vulnerability": "VCID-yeaf-ta2h-p7c1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@3.1.7.RELEASE" }, { "url": "http://public2.vulnerablecode.io/api/packages/72800?format=api", "purl": "pkg:maven/org.springframework.security/spring-security-core@3.2.5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@3.2.5" }, { "url": "http://public2.vulnerablecode.io/api/packages/159789?format=api", "purl": "pkg:maven/org.springframework.security/spring-security-core@3.2.5.RELEASE", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-cden-3spy-pyhz" }, { "vulnerability": "VCID-deuk-emca-3kgr" }, { "vulnerability": "VCID-dfs4-emmn-f3eb" }, { "vulnerability": "VCID-dwcq-d6nf-1ubn" }, { "vulnerability": "VCID-u6vb-w2bu-ykfk" }, { "vulnerability": "VCID-yeaf-ta2h-p7c1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@3.2.5.RELEASE" } ], "aliases": [ "CVE-2014-3527", "GHSA-wmv4-5w76-vp9g" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8jtc-ehgu-x3c5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/55588?format=api", "vulnerability_id": "VCID-cden-3spy-pyhz", "summary": "Integer overflow in BCrypt class in Spring Security\nSpring Security versions 5.5.x prior to 5.5.7, 5.6.x prior to 5.6.4, and earlier unsupported versions contain an integer overflow vulnerability. When using the BCrypt class with the maximum work factor (31), the encoder does not perform any salt rounds, due to an integer overflow error. The default settings are not affected by this CVE.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-22976.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-22976.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-22976", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0036", "scoring_system": "epss", "scoring_elements": "0.58196", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.0036", "scoring_system": "epss", "scoring_elements": "0.58221", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.0036", "scoring_system": "epss", "scoring_elements": "0.58218", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.0036", "scoring_system": "epss", "scoring_elements": "0.58186", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.0036", "scoring_system": "epss", "scoring_elements": "0.58207", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.0036", "scoring_system": "epss", "scoring_elements": "0.5823", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.0036", "scoring_system": "epss", "scoring_elements": "0.58213", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.0036", "scoring_system": "epss", "scoring_elements": "0.5821", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.0036", "scoring_system": "epss", "scoring_elements": "0.58156", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.0036", "scoring_system": "epss", "scoring_elements": "0.58182", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.0036", "scoring_system": "epss", "scoring_elements": "0.58161", "published_at": "2026-04-02T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-22976" }, { "reference_url": "https://github.com/spring-projects/spring-security", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/spring-projects/spring-security" }, { "reference_url": "https://github.com/spring-projects/spring-security/commit/388a7b62b906bd56deadb7ca45248fa1a63bdf12", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/spring-projects/spring-security/commit/388a7b62b906bd56deadb7ca45248fa1a63bdf12" }, { "reference_url": "https://github.com/spring-projects/spring-security/commit/a40f73521c0dd88b879ff6165d280e78bdf8154f", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/spring-projects/spring-security/commit/a40f73521c0dd88b879ff6165d280e78bdf8154f" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22976", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22976" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20220707-0003", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://security.netapp.com/advisory/ntap-20220707-0003" }, { "reference_url": "https://tanzu.vmware.com/security/cve-2022-22976", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://tanzu.vmware.com/security/cve-2022-22976" }, { "reference_url": "https://www.oracle.com/security-alerts/cpujul2022.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2087214", "reference_id": "2087214", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2087214" }, { "reference_url": "https://github.com/advisories/GHSA-wx54-3278-m5g4", "reference_id": "GHSA-wx54-3278-m5g4", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-wx54-3278-m5g4" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:5532", "reference_id": "RHSA-2022:5532", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:5532" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:3663", "reference_id": "RHSA-2023:3663", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:3663" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/82654?format=api", "purl": "pkg:maven/org.springframework.security/spring-security-core@5.5.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-dwcq-d6nf-1ubn" }, { "vulnerability": "VCID-u6vb-w2bu-ykfk" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@5.5.7" }, { "url": "http://public2.vulnerablecode.io/api/packages/82655?format=api", "purl": "pkg:maven/org.springframework.security/spring-security-core@5.6.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-8dx4-u4aa-xuet" }, { "vulnerability": "VCID-dwcq-d6nf-1ubn" }, { "vulnerability": "VCID-u6vb-w2bu-ykfk" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@5.6.4" } ], "aliases": [ "CVE-2022-22976", "GHSA-wx54-3278-m5g4" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-cden-3spy-pyhz" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/4842?format=api", "vulnerability_id": "VCID-deuk-emca-3kgr", "summary": "An issue was discovered in Pivotal Spring Security before 3.2.10, 4.1.x before 4.1.4, and 4.2.x before 4.2.1. Spring Security does not consider URL path parameters when processing security constraints. By adding a URL path parameter with an encoded \"/\" to a request, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. The unexpected presence of path parameters can cause a constraint to be bypassed. Users of Apache Tomcat (all current versions) are not affected by this vulnerability since Tomcat follows the guidance previously provided by the Servlet Expert group and strips path parameters from the value returned by getContextPath(), getServletPath(), and getPathInfo(). Users of other Servlet containers based on Apache Tomcat may or may not be affected depending on whether or not the handling of path parameters has been modified. Users of IBM WebSphere Application Server 8.5.x are known to be affected. Users of other containers that implement the Servlet specification may be affected.", "references": [ { "reference_url": "https://access.redhat.com/errata/RHSA-2017:1832", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://access.redhat.com/errata/RHSA-2017:1832" }, { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-9879.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-9879.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2016-9879", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00322", "scoring_system": "epss", "scoring_elements": "0.5531", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00322", "scoring_system": "epss", "scoring_elements": "0.55267", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00322", "scoring_system": "epss", "scoring_elements": "0.55318", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00322", "scoring_system": "epss", "scoring_elements": "0.55329", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00322", "scoring_system": "epss", "scoring_elements": "0.55308", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00322", "scoring_system": "epss", "scoring_elements": "0.55289", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00322", "scoring_system": "epss", "scoring_elements": "0.55327", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00322", "scoring_system": "epss", "scoring_elements": "0.55331", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00322", "scoring_system": "epss", "scoring_elements": "0.55162", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00322", "scoring_system": "epss", "scoring_elements": "0.55263", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00322", "scoring_system": "epss", "scoring_elements": "0.55286", "published_at": "2026-04-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2016-9879" }, { "reference_url": "https://github.com/spring-projects/spring-security/commit/666e356ebc479194ba51e43bb99fc42f849b6175", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/spring-projects/spring-security/commit/666e356ebc479194ba51e43bb99fc42f849b6175" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2016-9879", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-9879" }, { "reference_url": "http://www.securityfocus.com/bid/95142", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.securityfocus.com/bid/95142" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=1409838", "reference_id": "1409838", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1409838" }, { "reference_url": "https://pivotal.io/security/cve-2016-9879", "reference_id": "CVE-2016-9879", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://pivotal.io/security/cve-2016-9879" }, { "reference_url": "https://github.com/advisories/GHSA-v35c-49j6-q8hq", "reference_id": "GHSA-v35c-49j6-q8hq", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-v35c-49j6-q8hq" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/23757?format=api", "purl": "pkg:maven/org.springframework.security/spring-security-core@3.2.10.RELEASE", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-cden-3spy-pyhz" }, { "vulnerability": "VCID-dfs4-emmn-f3eb" }, { "vulnerability": "VCID-dwcq-d6nf-1ubn" }, { "vulnerability": "VCID-u6vb-w2bu-ykfk" }, { "vulnerability": "VCID-yeaf-ta2h-p7c1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@3.2.10.RELEASE" }, { "url": "http://public2.vulnerablecode.io/api/packages/23758?format=api", "purl": "pkg:maven/org.springframework.security/spring-security-core@4.1.4.RELEASE", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-cden-3spy-pyhz" }, { "vulnerability": "VCID-dwcq-d6nf-1ubn" }, { "vulnerability": "VCID-hedq-eav6-4fee" }, { "vulnerability": "VCID-qpxj-fzta-v7bs" }, { "vulnerability": "VCID-u6vb-w2bu-ykfk" }, { "vulnerability": "VCID-yeaf-ta2h-p7c1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@4.1.4.RELEASE" }, { "url": "http://public2.vulnerablecode.io/api/packages/23759?format=api", "purl": "pkg:maven/org.springframework.security/spring-security-core@4.2.1.RELEASE", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-cden-3spy-pyhz" }, { "vulnerability": "VCID-dwcq-d6nf-1ubn" }, { "vulnerability": "VCID-f3g5-hamr-6yar" }, { "vulnerability": "VCID-hedq-eav6-4fee" }, { "vulnerability": "VCID-pz7c-p4ze-kfhc" }, { "vulnerability": "VCID-qpxj-fzta-v7bs" }, { "vulnerability": "VCID-u6vb-w2bu-ykfk" }, { "vulnerability": "VCID-xdnd-ar9s-afd8" }, { "vulnerability": "VCID-yeaf-ta2h-p7c1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@4.2.1.RELEASE" } ], "aliases": [ "CVE-2016-9879", "GHSA-v35c-49j6-q8hq" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-deuk-emca-3kgr" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/5095?format=api", "vulnerability_id": "VCID-dfs4-emmn-f3eb", "summary": "Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring Framework provides richer features with regards to pattern matching as well as by the fact that pattern matching in each Spring Security and the Spring Framework can easily be customized creating additional differences.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-5007.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-5007.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2016-5007", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00155", "scoring_system": "epss", "scoring_elements": "0.36232", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00155", "scoring_system": "epss", "scoring_elements": "0.36183", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00155", "scoring_system": "epss", "scoring_elements": "0.36235", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00155", "scoring_system": "epss", "scoring_elements": "0.3625", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00155", "scoring_system": "epss", "scoring_elements": "0.36207", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00155", "scoring_system": "epss", "scoring_elements": "0.36133", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00155", "scoring_system": "epss", "scoring_elements": "0.36328", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00155", "scoring_system": "epss", "scoring_elements": "0.3636", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00155", "scoring_system": "epss", "scoring_elements": "0.36196", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00155", "scoring_system": "epss", "scoring_elements": "0.36245", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00155", "scoring_system": "epss", "scoring_elements": "0.36264", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00155", "scoring_system": "epss", "scoring_elements": "0.36269", "published_at": "2026-04-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2016-5007" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5007", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5007" }, { "reference_url": "https://github.com/advisories/GHSA-8crv-49fr-2h6j", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-8crv-49fr-2h6j" }, { "reference_url": "https://github.com/spring-projects/spring-framework/commit/a30ab30e4e9ae021fdda04e9abfc228476b846b5", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/spring-projects/spring-framework/commit/a30ab30e4e9ae021fdda04e9abfc228476b846b5" }, { "reference_url": "https://github.com/spring-projects/spring-security/commit/e4c13e3c0ee7f06f59d3b43ca6734215ad7d8974", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/spring-projects/spring-security/commit/e4c13e3c0ee7f06f59d3b43ca6734215ad7d8974" }, { "reference_url": "https://github.com/spring-projects/spring-security/issues/3964", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/spring-projects/spring-security/issues/3964" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2016-5007", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-5007" }, { "reference_url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" }, { "reference_url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html" }, { "reference_url": "http://www.securityfocus.com/bid/91687", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.securityfocus.com/bid/91687" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=1353902", "reference_id": "1353902", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1353902" }, { "reference_url": "https://pivotal.io/security/cve-2016-5007", "reference_id": "CVE-2016-5007", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://pivotal.io/security/cve-2016-5007" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/77744?format=api", "purl": "pkg:maven/org.springframework.security/spring-security-core@4.1.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@4.1.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/24214?format=api", "purl": "pkg:maven/org.springframework.security/spring-security-core@4.1.1.RELEASE", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-cden-3spy-pyhz" }, { "vulnerability": "VCID-deuk-emca-3kgr" }, { "vulnerability": "VCID-dwcq-d6nf-1ubn" }, { "vulnerability": "VCID-hedq-eav6-4fee" }, { "vulnerability": "VCID-qpxj-fzta-v7bs" }, { "vulnerability": "VCID-u6vb-w2bu-ykfk" }, { "vulnerability": "VCID-yeaf-ta2h-p7c1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@4.1.1.RELEASE" } ], "aliases": [ "CVE-2016-5007", "GHSA-8crv-49fr-2h6j" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-dfs4-emmn-f3eb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/16850?format=api", "vulnerability_id": "VCID-dwcq-d6nf-1ubn", "summary": "Erroneous authentication pass in Spring Security\nIn Spring Security, versions 5.7.x prior to 5.7.12, 5.8.x prior to 5.8.11, versions 6.0.x prior to 6.0.9, versions 6.1.x prior to 6.1.8, versions 6.2.x prior to 6.2.3, an application is possible vulnerable to broken access control when it directly uses the AuthenticatedVoter#vote passing a null Authentication parameter.\n\nSpecifically, an application is vulnerable if:\n\nThe application uses AuthenticatedVoter directly and a null authentication parameter is passed to it resulting in an erroneous true return value.\n\nAn application is not vulnerable if any of the following is true:\n\n* The application does not use AuthenticatedVoter#vote directly.\n* The application does not pass null to AuthenticatedVoter#vote.\n\nNote that AuthenticatedVoter is deprecated since 5.8, use implementations of AuthorizationManager as a replacement.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-22257.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-22257.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-22257", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00264", "scoring_system": "epss", "scoring_elements": "0.49769", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00264", "scoring_system": "epss", "scoring_elements": "0.49797", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00264", "scoring_system": "epss", "scoring_elements": "0.49751", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00264", "scoring_system": "epss", "scoring_elements": "0.4975", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00264", "scoring_system": "epss", "scoring_elements": "0.49778", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00264", "scoring_system": "epss", "scoring_elements": "0.49765", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00264", "scoring_system": "epss", "scoring_elements": "0.4971", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00264", "scoring_system": "epss", "scoring_elements": "0.49759", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00264", "scoring_system": "epss", "scoring_elements": "0.49732", "published_at": "2026-04-02T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-22257" }, { "reference_url": "https://github.com/spring-projects/spring-security", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/spring-projects/spring-security" }, { "reference_url": "https://github.com/spring-projects/spring-security/commit/5a7f12f1a9fdb4edaab6f61495f1d781a7273b61", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/spring-projects/spring-security/commit/5a7f12f1a9fdb4edaab6f61495f1d781a7273b61" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22257", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22257" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20240419-0005", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://security.netapp.com/advisory/ntap-20240419-0005" }, { "reference_url": "https://spring.io/security/cve-2024-22257", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-11-12T15:22:14Z/" } ], "url": "https://spring.io/security/cve-2024-22257" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2270158", "reference_id": "2270158", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2270158" }, { "reference_url": "https://github.com/advisories/GHSA-f3jh-qvm4-mg39", "reference_id": "GHSA-f3jh-qvm4-mg39", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-f3jh-qvm4-mg39" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20240419-0005/", "reference_id": "ntap-20240419-0005", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-11-12T15:22:14Z/" } ], "url": "https://security.netapp.com/advisory/ntap-20240419-0005/" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:3708", "reference_id": "RHSA-2024:3708", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:3708" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/56509?format=api", "purl": "pkg:maven/org.springframework.security/spring-security-core@5.7.12", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-u6vb-w2bu-ykfk" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@5.7.12" }, { "url": "http://public2.vulnerablecode.io/api/packages/56510?format=api", "purl": "pkg:maven/org.springframework.security/spring-security-core@5.8.11", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-u6vb-w2bu-ykfk" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@5.8.11" }, { "url": "http://public2.vulnerablecode.io/api/packages/56511?format=api", "purl": "pkg:maven/org.springframework.security/spring-security-core@6.1.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-u6vb-w2bu-ykfk" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@6.1.8" }, { "url": "http://public2.vulnerablecode.io/api/packages/56513?format=api", "purl": "pkg:maven/org.springframework.security/spring-security-core@6.2.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-u6vb-w2bu-ykfk" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@6.2.3" } ], "aliases": [ "CVE-2024-22257", "GHSA-f3jh-qvm4-mg39" ], "risk_score": 4.4, "exploitability": "0.5", "weighted_severity": "8.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-dwcq-d6nf-1ubn" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/14505?format=api", "vulnerability_id": "VCID-u6vb-w2bu-ykfk", "summary": "Spring Framework has Authorization Bypass for Case Sensitive Comparisons\nThe usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in authorization rules not working properly.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-38827.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-38827.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-38827", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00294", "scoring_system": "epss", "scoring_elements": "0.52713", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00294", "scoring_system": "epss", "scoring_elements": "0.52729", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00294", "scoring_system": "epss", "scoring_elements": "0.52653", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00294", "scoring_system": "epss", "scoring_elements": "0.52627", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00294", "scoring_system": "epss", "scoring_elements": "0.5262", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00294", "scoring_system": "epss", "scoring_elements": "0.5267", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00294", "scoring_system": "epss", "scoring_elements": "0.52664", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00294", "scoring_system": "epss", "scoring_elements": "0.52715", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00294", "scoring_system": "epss", "scoring_elements": "0.52698", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00294", "scoring_system": "epss", "scoring_elements": "0.52722", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00294", "scoring_system": "epss", "scoring_elements": "0.52683", "published_at": "2026-04-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-38827" }, { "reference_url": "https://github.com/spring-projects/spring-framework", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/spring-projects/spring-framework" }, { "reference_url": "https://github.com/spring-projects/spring-framework/commit/11d4272ff48b4a4dabc4b28dfbff0364a4204bc9", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/spring-projects/spring-framework/commit/11d4272ff48b4a4dabc4b28dfbff0364a4204bc9" }, { "reference_url": "https://github.com/spring-projects/spring-framework/issues/33708", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/spring-projects/spring-framework/issues/33708" }, { "reference_url": "https://github.com/spring-projects/spring-framework/issues/34232", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/spring-projects/spring-framework/issues/34232" }, { "reference_url": "https://github.com/spring-projects/spring-security", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/spring-projects/spring-security" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38827", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38827" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20250124-0007", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://security.netapp.com/advisory/ntap-20250124-0007" }, { "reference_url": "https://spring.io/security/cve-2024-38827", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-02T15:27:02Z/" } ], "url": "https://spring.io/security/cve-2024-38827" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2329971", "reference_id": "2329971", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2329971" }, { "reference_url": "https://github.com/advisories/GHSA-q3v6-hm2v-pw99", "reference_id": "GHSA-q3v6-hm2v-pw99", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-q3v6-hm2v-pw99" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/50898?format=api", "purl": "pkg:maven/org.springframework.security/spring-security-core@5.7.14", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@5.7.14" }, { "url": "http://public2.vulnerablecode.io/api/packages/50902?format=api", "purl": "pkg:maven/org.springframework.security/spring-security-core@5.8.16", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@5.8.16" }, { "url": "http://public2.vulnerablecode.io/api/packages/50903?format=api", "purl": "pkg:maven/org.springframework.security/spring-security-core@6.0.14", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@6.0.14" }, { "url": "http://public2.vulnerablecode.io/api/packages/50906?format=api", "purl": "pkg:maven/org.springframework.security/spring-security-core@6.1.12", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@6.1.12" }, { "url": "http://public2.vulnerablecode.io/api/packages/50907?format=api", "purl": "pkg:maven/org.springframework.security/spring-security-core@6.2.8", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@6.2.8" }, { "url": "http://public2.vulnerablecode.io/api/packages/50908?format=api", "purl": "pkg:maven/org.springframework.security/spring-security-core@6.3.5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@6.3.5" } ], "aliases": [ "CVE-2024-38827", "GHSA-q3v6-hm2v-pw99" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-u6vb-w2bu-ykfk" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47756?format=api", "vulnerability_id": "VCID-yeaf-ta2h-p7c1", "summary": "Privilege escalation in spring security\nSpring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE, and older unsupported versions can fail to save the SecurityContext if it is changed more than once in a single request.A malicious user cannot cause the bug to happen (it must be programmed in). However, if the application's intent is to only allow the user to run with elevated privileges in a small portion of the application, the bug can be leveraged to extend those privileges to the rest of the application.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22112.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22112.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-22112", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00979", "scoring_system": "epss", "scoring_elements": "0.76783", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00979", "scoring_system": "epss", "scoring_elements": "0.76792", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00979", "scoring_system": "epss", "scoring_elements": "0.76787", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00979", "scoring_system": "epss", "scoring_elements": "0.76754", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00979", "scoring_system": "epss", "scoring_elements": "0.76688", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00979", "scoring_system": "epss", "scoring_elements": "0.76703", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00979", "scoring_system": "epss", "scoring_elements": "0.76721", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00979", "scoring_system": "epss", "scoring_elements": "0.76692", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00979", "scoring_system": "epss", "scoring_elements": "0.76774", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00979", "scoring_system": "epss", "scoring_elements": "0.76746", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00979", "scoring_system": "epss", "scoring_elements": "0.76735", "published_at": "2026-04-08T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-22112" }, { "reference_url": "https://github.com/spring-projects/spring-security", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/spring-projects/spring-security" }, { "reference_url": "https://github.com/spring-projects/spring-security/releases/tag/5.4.4", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/spring-projects/spring-security/releases/tag/5.4.4" }, { "reference_url": "https://lists.apache.org/thread.html/r163b3e4e39803882f5be05ee8606b2b9812920e196daa2a82997ce14@%3Cpluto-dev.portals.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread.html/r163b3e4e39803882f5be05ee8606b2b9812920e196daa2a82997ce14@%3Cpluto-dev.portals.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r2cb05e499807900ba23e539643eead9c5f0652fd271f223f89da1804@%3Cpluto-scm.portals.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread.html/r2cb05e499807900ba23e539643eead9c5f0652fd271f223f89da1804@%3Cpluto-scm.portals.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r37423ec7eea340e92a409452c35b649dce02fdc467f0b3f52086c177@%3Cpluto-dev.portals.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread.html/r37423ec7eea340e92a409452c35b649dce02fdc467f0b3f52086c177@%3Cpluto-dev.portals.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r3868207b967f926819fe3aa8d33f1666429be589bb4a62104a49f4e3@%3Cpluto-dev.portals.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread.html/r3868207b967f926819fe3aa8d33f1666429be589bb4a62104a49f4e3@%3Cpluto-dev.portals.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r390783b3b1c59b978131ac08390bf77fbb3863270cbde59d5b0f5fde@%3Cpluto-dev.portals.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread.html/r390783b3b1c59b978131ac08390bf77fbb3863270cbde59d5b0f5fde@%3Cpluto-dev.portals.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r413e380088c427f56102968df89ef2f336473e1b56b7d4b3a571a378@%3Cpluto-dev.portals.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread.html/r413e380088c427f56102968df89ef2f336473e1b56b7d4b3a571a378@%3Cpluto-dev.portals.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/r89aa1b48a827f5641310305214547f1d6b2101971a49b624737c497f@%3Cpluto-dev.portals.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread.html/r89aa1b48a827f5641310305214547f1d6b2101971a49b624737c497f@%3Cpluto-dev.portals.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/ra53677224fe4f04c2599abc88032076faa18dc84b329cdeba85d4cfc@%3Cpluto-scm.portals.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread.html/ra53677224fe4f04c2599abc88032076faa18dc84b329cdeba85d4cfc@%3Cpluto-scm.portals.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/ra6389b1b82108a3b6bbcd22979f7665fd437c2a3408c9509a15a9ca1@%3Cpluto-dev.portals.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread.html/ra6389b1b82108a3b6bbcd22979f7665fd437c2a3408c9509a15a9ca1@%3Cpluto-dev.portals.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/redbd004a503b3520ae5746c2ab5e93fd7da807a8c128e60d2002cd9b@%3Cissues.nifi.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread.html/redbd004a503b3520ae5746c2ab5e93fd7da807a8c128e60d2002cd9b@%3Cissues.nifi.apache.org%3E" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22112", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22112" }, { "reference_url": "https://tanzu.vmware.com/security/cve-2021-22112", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://tanzu.vmware.com/security/cve-2021-22112" }, { "reference_url": "https://www.jenkins.io/security/advisory/2021-02-19", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.jenkins.io/security/advisory/2021-02-19" }, { "reference_url": "https://www.jenkins.io/security/advisory/2021-02-19/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.jenkins.io/security/advisory/2021-02-19/" }, { "reference_url": "https://www.oracle.com/security-alerts/cpuApr2021.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" }, { "reference_url": "https://www.oracle.com//security-alerts/cpujul2021.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "reference_url": "https://www.oracle.com/security-alerts/cpuoct2021.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2021/02/19/7", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2021/02/19/7" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=1931453", "reference_id": "1931453", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1931453" }, { "reference_url": "https://security.archlinux.org/AVG-1595", "reference_id": "AVG-1595", "reference_type": "", "scores": [ { "value": "High", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-1595" }, { "reference_url": "https://github.com/advisories/GHSA-gq28-h5vg-8prx", "reference_id": "GHSA-gq28-h5vg-8prx", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-gq28-h5vg-8prx" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/569369?format=api", "purl": "pkg:maven/org.springframework.security/spring-security-core@5.2.9", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@5.2.9" }, { "url": "http://public2.vulnerablecode.io/api/packages/231525?format=api", "purl": "pkg:maven/org.springframework.security/spring-security-core@5.2.9.RELEASE", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-cden-3spy-pyhz" }, { "vulnerability": "VCID-dwcq-d6nf-1ubn" }, { "vulnerability": "VCID-u6vb-w2bu-ykfk" }, { "vulnerability": "VCID-ykkv-ahjn-d7eb" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@5.2.9.RELEASE" }, { "url": "http://public2.vulnerablecode.io/api/packages/569368?format=api", "purl": "pkg:maven/org.springframework.security/spring-security-core@5.3.9", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-ykkv-ahjn-d7eb" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@5.3.9" }, { "url": "http://public2.vulnerablecode.io/api/packages/231532?format=api", "purl": "pkg:maven/org.springframework.security/spring-security-core@5.3.9.RELEASE", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-cden-3spy-pyhz" }, { "vulnerability": "VCID-dwcq-d6nf-1ubn" }, { "vulnerability": "VCID-u6vb-w2bu-ykfk" }, { "vulnerability": "VCID-ykkv-ahjn-d7eb" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@5.3.9.RELEASE" }, { "url": "http://public2.vulnerablecode.io/api/packages/231537?format=api", "purl": "pkg:maven/org.springframework.security/spring-security-core@5.4.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-cden-3spy-pyhz" }, { "vulnerability": "VCID-dwcq-d6nf-1ubn" }, { "vulnerability": "VCID-u6vb-w2bu-ykfk" }, { "vulnerability": "VCID-ykkv-ahjn-d7eb" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@5.4.4" } ], "aliases": [ "CVE-2021-22112", "GHSA-gq28-h5vg-8prx" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-yeaf-ta2h-p7c1" } ], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/6758?format=api", "vulnerability_id": "VCID-w4q4-38gp-m3d8", "summary": "Exposure of Sensitive Information to an Unauthorized Actor\nThis package does not check the password if the user is not found, which makes the response delay shorter and might allow remote attackers to enumerate valid usernames via a series of login requests.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2012-5055.json", "reference_id": "", "reference_type": "", "scores": [], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2012-5055.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2012-5055", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00359", "scoring_system": "epss", "scoring_elements": "0.58097", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00359", "scoring_system": "epss", "scoring_elements": "0.58111", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00359", "scoring_system": "epss", "scoring_elements": "0.5809", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00359", "scoring_system": "epss", "scoring_elements": "0.58121", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00359", "scoring_system": "epss", "scoring_elements": "0.58122", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00359", "scoring_system": "epss", "scoring_elements": "0.57979", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00359", "scoring_system": "epss", "scoring_elements": "0.58063", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00359", "scoring_system": "epss", "scoring_elements": "0.58085", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00359", "scoring_system": "epss", "scoring_elements": "0.58059", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00359", "scoring_system": "epss", "scoring_elements": "0.58114", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00359", "scoring_system": "epss", "scoring_elements": "0.58118", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00359", "scoring_system": "epss", "scoring_elements": "0.58134", "published_at": "2026-04-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2012-5055" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2012-5055", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv2", "scoring_elements": "AV:N/AC:L/Au:N/C:P/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-5055" }, { "reference_url": "http://support.springsource.com/security/CVE-2012-5055", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://support.springsource.com/security/CVE-2012-5055" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=886031", "reference_id": "886031", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=886031" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:vmware:springsource_spring_security:*:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:a:vmware:springsource_spring_security:*:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:vmware:springsource_spring_security:*:*:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:vmware:springsource_spring_security:2.0.0:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:a:vmware:springsource_spring_security:2.0.0:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:vmware:springsource_spring_security:2.0.0:*:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:vmware:springsource_spring_security:2.0.1:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:a:vmware:springsource_spring_security:2.0.1:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:vmware:springsource_spring_security:2.0.1:*:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:vmware:springsource_spring_security:2.0.2:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:a:vmware:springsource_spring_security:2.0.2:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:vmware:springsource_spring_security:2.0.2:*:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:vmware:springsource_spring_security:2.0.3:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:a:vmware:springsource_spring_security:2.0.3:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:vmware:springsource_spring_security:2.0.3:*:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:vmware:springsource_spring_security:2.0.4:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:a:vmware:springsource_spring_security:2.0.4:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:vmware:springsource_spring_security:2.0.4:*:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:vmware:springsource_spring_security:2.0.5:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:a:vmware:springsource_spring_security:2.0.5:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:vmware:springsource_spring_security:2.0.5:*:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:vmware:springsource_spring_security:3.0.0:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:a:vmware:springsource_spring_security:3.0.0:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:vmware:springsource_spring_security:3.0.0:*:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:vmware:springsource_spring_security:3.0.1:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:a:vmware:springsource_spring_security:3.0.1:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:vmware:springsource_spring_security:3.0.1:*:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:vmware:springsource_spring_security:3.0.2:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:a:vmware:springsource_spring_security:3.0.2:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:vmware:springsource_spring_security:3.0.2:*:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:vmware:springsource_spring_security:3.0.3:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:a:vmware:springsource_spring_security:3.0.3:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:vmware:springsource_spring_security:3.0.3:*:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:vmware:springsource_spring_security:3.0.4:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:a:vmware:springsource_spring_security:3.0.4:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:vmware:springsource_spring_security:3.0.4:*:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:vmware:springsource_spring_security:3.0.5:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:a:vmware:springsource_spring_security:3.0.5:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:vmware:springsource_spring_security:3.0.5:*:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:vmware:springsource_spring_security:3.1.1:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:a:vmware:springsource_spring_security:3.1.1:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:vmware:springsource_spring_security:3.1.1:*:*:*:*:*:*:*" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:vmware:springsource_spring_security:3.1.2:*:*:*:*:*:*:*", "reference_id": "cpe:2.3:a:vmware:springsource_spring_security:3.1.2:*:*:*:*:*:*:*", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:vmware:springsource_spring_security:3.1.2:*:*:*:*:*:*:*" }, { "reference_url": "http://support.springsource.com/security/cve-2012-5055", "reference_id": "CVE-2012-5055", "reference_type": "", "scores": [], "url": "http://support.springsource.com/security/cve-2012-5055" }, { "reference_url": "https://github.com/advisories/GHSA-3533-rvpc-6x56", "reference_id": "GHSA-3533-rvpc-6x56", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3533-rvpc-6x56" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2013:0649", "reference_id": "RHSA-2013:0649", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2013:0649" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/84564?format=api", "purl": "pkg:maven/org.springframework.security/spring-security-core@2.0.8", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@2.0.8" }, { "url": "http://public2.vulnerablecode.io/api/packages/20142?format=api", "purl": "pkg:maven/org.springframework.security/spring-security-core@2.0.8.RELEASE", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-8jtc-ehgu-x3c5" }, { "vulnerability": "VCID-cden-3spy-pyhz" }, { "vulnerability": "VCID-dfs4-emmn-f3eb" }, { "vulnerability": "VCID-dwcq-d6nf-1ubn" }, { "vulnerability": "VCID-u6vb-w2bu-ykfk" }, { "vulnerability": "VCID-yeaf-ta2h-p7c1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@2.0.8.RELEASE" }, { "url": "http://public2.vulnerablecode.io/api/packages/84565?format=api", "purl": "pkg:maven/org.springframework.security/spring-security-core@3.0.8", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@3.0.8" }, { "url": "http://public2.vulnerablecode.io/api/packages/20143?format=api", "purl": "pkg:maven/org.springframework.security/spring-security-core@3.0.8.RELEASE", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-8jtc-ehgu-x3c5" }, { "vulnerability": "VCID-cden-3spy-pyhz" }, { "vulnerability": "VCID-deuk-emca-3kgr" }, { "vulnerability": "VCID-dfs4-emmn-f3eb" }, { "vulnerability": "VCID-dwcq-d6nf-1ubn" }, { "vulnerability": "VCID-u6vb-w2bu-ykfk" }, { "vulnerability": "VCID-yeaf-ta2h-p7c1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@3.0.8.RELEASE" }, { "url": "http://public2.vulnerablecode.io/api/packages/84566?format=api", "purl": "pkg:maven/org.springframework.security/spring-security-core@3.1.3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@3.1.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/20144?format=api", "purl": "pkg:maven/org.springframework.security/spring-security-core@3.1.3.RELEASE", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-8jtc-ehgu-x3c5" }, { "vulnerability": "VCID-cden-3spy-pyhz" }, { "vulnerability": "VCID-deuk-emca-3kgr" }, { "vulnerability": "VCID-dfs4-emmn-f3eb" }, { "vulnerability": "VCID-dwcq-d6nf-1ubn" }, { "vulnerability": "VCID-u6vb-w2bu-ykfk" }, { "vulnerability": "VCID-yeaf-ta2h-p7c1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@3.1.3.RELEASE" } ], "aliases": [ "CVE-2012-5055", "GHSA-3533-rvpc-6x56" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-w4q4-38gp-m3d8" } ], "risk_score": "4.5", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@3.0.8.RELEASE" }