Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:maven/org.springframework.security/spring-security-core@4.2.20.RELEASE
Typemaven
Namespaceorg.springframework.security
Namespring-security-core
Version4.2.20.RELEASE
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version5.7.14
Latest_non_vulnerable_version6.5.4
Affected_by_vulnerabilities
0
url VCID-cden-3spy-pyhz
vulnerability_id VCID-cden-3spy-pyhz
summary 
Integer overflow in BCrypt class in Spring Security
Spring Security versions 5.5.x prior to 5.5.7, 5.6.x prior to 5.6.4, and earlier unsupported versions contain an integer overflow vulnerability. When using the BCrypt class with the maximum work factor (31), the encoder does not perform any salt rounds, due to an integer overflow error. The default settings are not affected by this CVE.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-22976.json
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-22976.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-22976
reference_id
reference_type
scores
0
value 0.0036
scoring_system epss
scoring_elements 0.58221
published_at 2026-04-18T12:55:00Z
1
value 0.0036
scoring_system epss
scoring_elements 0.58218
published_at 2026-04-16T12:55:00Z
2
value 0.0036
scoring_system epss
scoring_elements 0.58186
published_at 2026-04-13T12:55:00Z
3
value 0.0036
scoring_system epss
scoring_elements 0.58207
published_at 2026-04-12T12:55:00Z
4
value 0.0036
scoring_system epss
scoring_elements 0.5823
published_at 2026-04-11T12:55:00Z
5
value 0.0036
scoring_system epss
scoring_elements 0.58213
published_at 2026-04-09T12:55:00Z
6
value 0.0036
scoring_system epss
scoring_elements 0.5821
published_at 2026-04-08T12:55:00Z
7
value 0.0036
scoring_system epss
scoring_elements 0.58156
published_at 2026-04-07T12:55:00Z
8
value 0.0036
scoring_system epss
scoring_elements 0.58182
published_at 2026-04-04T12:55:00Z
9
value 0.0036
scoring_system epss
scoring_elements 0.58161
published_at 2026-04-02T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-22976
2
reference_url https://github.com/spring-projects/spring-security
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/spring-projects/spring-security
3
reference_url https://github.com/spring-projects/spring-security/commit/388a7b62b906bd56deadb7ca45248fa1a63bdf12
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/spring-projects/spring-security/commit/388a7b62b906bd56deadb7ca45248fa1a63bdf12
4
reference_url https://github.com/spring-projects/spring-security/commit/a40f73521c0dd88b879ff6165d280e78bdf8154f
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/spring-projects/spring-security/commit/a40f73521c0dd88b879ff6165d280e78bdf8154f
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-22976
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-22976
6
reference_url https://security.netapp.com/advisory/ntap-20220707-0003
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20220707-0003
7
reference_url https://tanzu.vmware.com/security/cve-2022-22976
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://tanzu.vmware.com/security/cve-2022-22976
8
reference_url https://www.oracle.com/security-alerts/cpujul2022.html
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpujul2022.html
9
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2087214
reference_id 2087214
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2087214
10
reference_url https://github.com/advisories/GHSA-wx54-3278-m5g4
reference_id GHSA-wx54-3278-m5g4
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-wx54-3278-m5g4
11
reference_url https://access.redhat.com/errata/RHSA-2022:5532
reference_id RHSA-2022:5532
reference_type
scores
url https://access.redhat.com/errata/RHSA-2022:5532
12
reference_url https://access.redhat.com/errata/RHSA-2023:3663
reference_id RHSA-2023:3663
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:3663
fixed_packages
0
url pkg:maven/org.springframework.security/spring-security-core@5.5.7
purl pkg:maven/org.springframework.security/spring-security-core@5.5.7
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-dwcq-d6nf-1ubn
1
vulnerability VCID-u6vb-w2bu-ykfk
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@5.5.7
1
url pkg:maven/org.springframework.security/spring-security-core@5.6.4
purl pkg:maven/org.springframework.security/spring-security-core@5.6.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-8dx4-u4aa-xuet
1
vulnerability VCID-dwcq-d6nf-1ubn
2
vulnerability VCID-u6vb-w2bu-ykfk
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@5.6.4
aliases CVE-2022-22976, GHSA-wx54-3278-m5g4
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-cden-3spy-pyhz
1
url VCID-dwcq-d6nf-1ubn
vulnerability_id VCID-dwcq-d6nf-1ubn
summary 
Erroneous authentication pass in Spring Security
In Spring Security, versions 5.7.x prior to 5.7.12, 5.8.x prior to 5.8.11, versions 6.0.x prior to 6.0.9, versions 6.1.x prior to 6.1.8, versions 6.2.x prior to 6.2.3, an application is possible vulnerable to broken access control when it directly uses the AuthenticatedVoter#vote passing a null Authentication parameter.

Specifically, an application is vulnerable if:

The application uses AuthenticatedVoter directly and a null authentication parameter is passed to it resulting in an erroneous true return value.

An application is not vulnerable if any of the following is true:

* The application does not use AuthenticatedVoter#vote directly.
* The application does not pass null to AuthenticatedVoter#vote.

Note that AuthenticatedVoter is deprecated since 5.8, use implementations of AuthorizationManager as a replacement.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-22257.json
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-22257.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-22257
reference_id
reference_type
scores
0
value 0.00264
scoring_system epss
scoring_elements 0.49797
published_at 2026-04-18T12:55:00Z
1
value 0.00264
scoring_system epss
scoring_elements 0.49751
published_at 2026-04-13T12:55:00Z
2
value 0.00264
scoring_system epss
scoring_elements 0.4975
published_at 2026-04-12T12:55:00Z
3
value 0.00264
scoring_system epss
scoring_elements 0.49778
published_at 2026-04-11T12:55:00Z
4
value 0.00264
scoring_system epss
scoring_elements 0.49765
published_at 2026-04-08T12:55:00Z
5
value 0.00264
scoring_system epss
scoring_elements 0.4971
published_at 2026-04-07T12:55:00Z
6
value 0.00264
scoring_system epss
scoring_elements 0.49759
published_at 2026-04-09T12:55:00Z
7
value 0.00264
scoring_system epss
scoring_elements 0.49732
published_at 2026-04-02T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-22257
2
reference_url https://github.com/spring-projects/spring-security
reference_id
reference_type
scores
0
value 8.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/spring-projects/spring-security
3
reference_url https://github.com/spring-projects/spring-security/commit/5a7f12f1a9fdb4edaab6f61495f1d781a7273b61
reference_id
reference_type
scores
0
value 8.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/spring-projects/spring-security/commit/5a7f12f1a9fdb4edaab6f61495f1d781a7273b61
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-22257
reference_id
reference_type
scores
0
value 8.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-22257
5
reference_url https://security.netapp.com/advisory/ntap-20240419-0005
reference_id
reference_type
scores
0
value 8.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20240419-0005
6
reference_url https://spring.io/security/cve-2024-22257
reference_id
reference_type
scores
0
value 8.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-11-12T15:22:14Z/
url https://spring.io/security/cve-2024-22257
7
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2270158
reference_id 2270158
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2270158
8
reference_url https://github.com/advisories/GHSA-f3jh-qvm4-mg39
reference_id GHSA-f3jh-qvm4-mg39
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-f3jh-qvm4-mg39
9
reference_url https://security.netapp.com/advisory/ntap-20240419-0005/
reference_id ntap-20240419-0005
reference_type
scores
0
value 8.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-11-12T15:22:14Z/
url https://security.netapp.com/advisory/ntap-20240419-0005/
10
reference_url https://access.redhat.com/errata/RHSA-2024:3708
reference_id RHSA-2024:3708
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:3708
fixed_packages
0
url pkg:maven/org.springframework.security/spring-security-core@5.7.12
purl pkg:maven/org.springframework.security/spring-security-core@5.7.12
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-u6vb-w2bu-ykfk
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@5.7.12
1
url pkg:maven/org.springframework.security/spring-security-core@5.8.11
purl pkg:maven/org.springframework.security/spring-security-core@5.8.11
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-u6vb-w2bu-ykfk
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@5.8.11
2
url pkg:maven/org.springframework.security/spring-security-core@6.1.8
purl pkg:maven/org.springframework.security/spring-security-core@6.1.8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-u6vb-w2bu-ykfk
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@6.1.8
3
url pkg:maven/org.springframework.security/spring-security-core@6.2.3
purl pkg:maven/org.springframework.security/spring-security-core@6.2.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-u6vb-w2bu-ykfk
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@6.2.3
aliases CVE-2024-22257, GHSA-f3jh-qvm4-mg39
risk_score 4.4
exploitability 0.5
weighted_severity 8.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-dwcq-d6nf-1ubn
2
url VCID-u6vb-w2bu-ykfk
vulnerability_id VCID-u6vb-w2bu-ykfk
summary 
Spring Framework has Authorization Bypass for Case Sensitive Comparisons
The usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in authorization rules not working properly.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-38827.json
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-38827.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-38827
reference_id
reference_type
scores
0
value 0.00294
scoring_system epss
scoring_elements 0.52729
published_at 2026-04-18T12:55:00Z
1
value 0.00294
scoring_system epss
scoring_elements 0.52722
published_at 2026-04-16T12:55:00Z
2
value 0.00294
scoring_system epss
scoring_elements 0.52653
published_at 2026-04-04T12:55:00Z
3
value 0.00294
scoring_system epss
scoring_elements 0.52683
published_at 2026-04-13T12:55:00Z
4
value 0.00294
scoring_system epss
scoring_elements 0.52698
published_at 2026-04-12T12:55:00Z
5
value 0.00294
scoring_system epss
scoring_elements 0.52715
published_at 2026-04-11T12:55:00Z
6
value 0.00294
scoring_system epss
scoring_elements 0.52664
published_at 2026-04-09T12:55:00Z
7
value 0.00294
scoring_system epss
scoring_elements 0.5267
published_at 2026-04-08T12:55:00Z
8
value 0.00294
scoring_system epss
scoring_elements 0.5262
published_at 2026-04-07T12:55:00Z
9
value 0.00294
scoring_system epss
scoring_elements 0.52627
published_at 2026-04-02T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-38827
2
reference_url https://github.com/spring-projects/spring-framework
reference_id
reference_type
scores
url https://github.com/spring-projects/spring-framework
3
reference_url https://github.com/spring-projects/spring-framework/commit/11d4272ff48b4a4dabc4b28dfbff0364a4204bc9
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/spring-projects/spring-framework/commit/11d4272ff48b4a4dabc4b28dfbff0364a4204bc9
4
reference_url https://github.com/spring-projects/spring-framework/issues/33708
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/spring-projects/spring-framework/issues/33708
5
reference_url https://github.com/spring-projects/spring-framework/issues/34232
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/spring-projects/spring-framework/issues/34232
6
reference_url https://github.com/spring-projects/spring-security
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/spring-projects/spring-security
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-38827
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-38827
8
reference_url https://security.netapp.com/advisory/ntap-20250124-0007
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20250124-0007
9
reference_url https://spring.io/security/cve-2024-38827
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-02T15:27:02Z/
url https://spring.io/security/cve-2024-38827
10
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2329971
reference_id 2329971
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2329971
11
reference_url https://github.com/advisories/GHSA-q3v6-hm2v-pw99
reference_id GHSA-q3v6-hm2v-pw99
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-q3v6-hm2v-pw99
fixed_packages
0
url pkg:maven/org.springframework.security/spring-security-core@5.7.14
purl pkg:maven/org.springframework.security/spring-security-core@5.7.14
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@5.7.14
1
url pkg:maven/org.springframework.security/spring-security-core@5.8.16
purl pkg:maven/org.springframework.security/spring-security-core@5.8.16
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@5.8.16
2
url pkg:maven/org.springframework.security/spring-security-core@6.0.14
purl pkg:maven/org.springframework.security/spring-security-core@6.0.14
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@6.0.14
3
url pkg:maven/org.springframework.security/spring-security-core@6.1.12
purl pkg:maven/org.springframework.security/spring-security-core@6.1.12
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@6.1.12
4
url pkg:maven/org.springframework.security/spring-security-core@6.2.8
purl pkg:maven/org.springframework.security/spring-security-core@6.2.8
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@6.2.8
5
url pkg:maven/org.springframework.security/spring-security-core@6.3.5
purl pkg:maven/org.springframework.security/spring-security-core@6.3.5
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@6.3.5
aliases CVE-2024-38827, GHSA-q3v6-hm2v-pw99
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-u6vb-w2bu-ykfk
3
url VCID-yeaf-ta2h-p7c1
vulnerability_id VCID-yeaf-ta2h-p7c1
summary 
Privilege escalation in spring security
Spring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE, and older unsupported versions can fail to save the SecurityContext if it is changed more than once in a single request.A malicious user cannot cause the bug to happen (it must be programmed in). However, if the application's intent is to only allow the user to run with elevated privileges in a small portion of the application, the bug can be leveraged to extend those privileges to the rest of the application.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22112.json
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22112.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-22112
reference_id
reference_type
scores
0
value 0.00979
scoring_system epss
scoring_elements 0.76792
published_at 2026-04-18T12:55:00Z
1
value 0.00979
scoring_system epss
scoring_elements 0.76787
published_at 2026-04-16T12:55:00Z
2
value 0.00979
scoring_system epss
scoring_elements 0.76754
published_at 2026-04-12T12:55:00Z
3
value 0.00979
scoring_system epss
scoring_elements 0.76774
published_at 2026-04-11T12:55:00Z
4
value 0.00979
scoring_system epss
scoring_elements 0.76688
published_at 2026-04-01T12:55:00Z
5
value 0.00979
scoring_system epss
scoring_elements 0.76703
published_at 2026-04-07T12:55:00Z
6
value 0.00979
scoring_system epss
scoring_elements 0.76721
published_at 2026-04-04T12:55:00Z
7
value 0.00979
scoring_system epss
scoring_elements 0.76692
published_at 2026-04-02T12:55:00Z
8
value 0.00979
scoring_system epss
scoring_elements 0.76746
published_at 2026-04-13T12:55:00Z
9
value 0.00979
scoring_system epss
scoring_elements 0.76735
published_at 2026-04-08T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-22112
2
reference_url https://github.com/spring-projects/spring-security
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/spring-projects/spring-security
3
reference_url https://github.com/spring-projects/spring-security/releases/tag/5.4.4
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/spring-projects/spring-security/releases/tag/5.4.4
4
reference_url https://lists.apache.org/thread.html/r163b3e4e39803882f5be05ee8606b2b9812920e196daa2a82997ce14@%3Cpluto-dev.portals.apache.org%3E
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread.html/r163b3e4e39803882f5be05ee8606b2b9812920e196daa2a82997ce14@%3Cpluto-dev.portals.apache.org%3E
5
reference_url https://lists.apache.org/thread.html/r2cb05e499807900ba23e539643eead9c5f0652fd271f223f89da1804@%3Cpluto-scm.portals.apache.org%3E
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread.html/r2cb05e499807900ba23e539643eead9c5f0652fd271f223f89da1804@%3Cpluto-scm.portals.apache.org%3E
6
reference_url https://lists.apache.org/thread.html/r37423ec7eea340e92a409452c35b649dce02fdc467f0b3f52086c177@%3Cpluto-dev.portals.apache.org%3E
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread.html/r37423ec7eea340e92a409452c35b649dce02fdc467f0b3f52086c177@%3Cpluto-dev.portals.apache.org%3E
7
reference_url https://lists.apache.org/thread.html/r3868207b967f926819fe3aa8d33f1666429be589bb4a62104a49f4e3@%3Cpluto-dev.portals.apache.org%3E
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread.html/r3868207b967f926819fe3aa8d33f1666429be589bb4a62104a49f4e3@%3Cpluto-dev.portals.apache.org%3E
8
reference_url https://lists.apache.org/thread.html/r390783b3b1c59b978131ac08390bf77fbb3863270cbde59d5b0f5fde@%3Cpluto-dev.portals.apache.org%3E
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread.html/r390783b3b1c59b978131ac08390bf77fbb3863270cbde59d5b0f5fde@%3Cpluto-dev.portals.apache.org%3E
9
reference_url https://lists.apache.org/thread.html/r413e380088c427f56102968df89ef2f336473e1b56b7d4b3a571a378@%3Cpluto-dev.portals.apache.org%3E
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread.html/r413e380088c427f56102968df89ef2f336473e1b56b7d4b3a571a378@%3Cpluto-dev.portals.apache.org%3E
10
reference_url https://lists.apache.org/thread.html/r89aa1b48a827f5641310305214547f1d6b2101971a49b624737c497f@%3Cpluto-dev.portals.apache.org%3E
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread.html/r89aa1b48a827f5641310305214547f1d6b2101971a49b624737c497f@%3Cpluto-dev.portals.apache.org%3E
11
reference_url https://lists.apache.org/thread.html/ra53677224fe4f04c2599abc88032076faa18dc84b329cdeba85d4cfc@%3Cpluto-scm.portals.apache.org%3E
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread.html/ra53677224fe4f04c2599abc88032076faa18dc84b329cdeba85d4cfc@%3Cpluto-scm.portals.apache.org%3E
12
reference_url https://lists.apache.org/thread.html/ra6389b1b82108a3b6bbcd22979f7665fd437c2a3408c9509a15a9ca1@%3Cpluto-dev.portals.apache.org%3E
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread.html/ra6389b1b82108a3b6bbcd22979f7665fd437c2a3408c9509a15a9ca1@%3Cpluto-dev.portals.apache.org%3E
13
reference_url https://lists.apache.org/thread.html/redbd004a503b3520ae5746c2ab5e93fd7da807a8c128e60d2002cd9b@%3Cissues.nifi.apache.org%3E
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread.html/redbd004a503b3520ae5746c2ab5e93fd7da807a8c128e60d2002cd9b@%3Cissues.nifi.apache.org%3E
14
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-22112
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-22112
15
reference_url https://tanzu.vmware.com/security/cve-2021-22112
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://tanzu.vmware.com/security/cve-2021-22112
16
reference_url https://www.jenkins.io/security/advisory/2021-02-19
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.jenkins.io/security/advisory/2021-02-19
17
reference_url https://www.jenkins.io/security/advisory/2021-02-19/
reference_id
reference_type
scores
url https://www.jenkins.io/security/advisory/2021-02-19/
18
reference_url https://www.oracle.com/security-alerts/cpuApr2021.html
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpuApr2021.html
19
reference_url https://www.oracle.com//security-alerts/cpujul2021.html
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.oracle.com//security-alerts/cpujul2021.html
20
reference_url https://www.oracle.com/security-alerts/cpuoct2021.html
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.oracle.com/security-alerts/cpuoct2021.html
21
reference_url http://www.openwall.com/lists/oss-security/2021/02/19/7
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2021/02/19/7
22
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1931453
reference_id 1931453
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1931453
23
reference_url https://security.archlinux.org/AVG-1595
reference_id AVG-1595
reference_type
scores
0
value High
scoring_system archlinux
scoring_elements
url https://security.archlinux.org/AVG-1595
24
reference_url https://github.com/advisories/GHSA-gq28-h5vg-8prx
reference_id GHSA-gq28-h5vg-8prx
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-gq28-h5vg-8prx
fixed_packages
0
url pkg:maven/org.springframework.security/spring-security-core@5.2.9
purl pkg:maven/org.springframework.security/spring-security-core@5.2.9
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@5.2.9
1
url pkg:maven/org.springframework.security/spring-security-core@5.2.9.RELEASE
purl pkg:maven/org.springframework.security/spring-security-core@5.2.9.RELEASE
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-cden-3spy-pyhz
1
vulnerability VCID-dwcq-d6nf-1ubn
2
vulnerability VCID-u6vb-w2bu-ykfk
3
vulnerability VCID-ykkv-ahjn-d7eb
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@5.2.9.RELEASE
2
url pkg:maven/org.springframework.security/spring-security-core@5.3.9
purl pkg:maven/org.springframework.security/spring-security-core@5.3.9
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ykkv-ahjn-d7eb
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@5.3.9
3
url pkg:maven/org.springframework.security/spring-security-core@5.3.9.RELEASE
purl pkg:maven/org.springframework.security/spring-security-core@5.3.9.RELEASE
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-cden-3spy-pyhz
1
vulnerability VCID-dwcq-d6nf-1ubn
2
vulnerability VCID-u6vb-w2bu-ykfk
3
vulnerability VCID-ykkv-ahjn-d7eb
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@5.3.9.RELEASE
4
url pkg:maven/org.springframework.security/spring-security-core@5.4.4
purl pkg:maven/org.springframework.security/spring-security-core@5.4.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-cden-3spy-pyhz
1
vulnerability VCID-dwcq-d6nf-1ubn
2
vulnerability VCID-u6vb-w2bu-ykfk
3
vulnerability VCID-ykkv-ahjn-d7eb
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@5.4.4
aliases CVE-2021-22112, GHSA-gq28-h5vg-8prx
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-yeaf-ta2h-p7c1
Fixing_vulnerabilities
Risk_score4.4
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@4.2.20.RELEASE