VulnerableCode Package Details - pkg:maven/org.springframework.security/spring-security-core@3.0.0

Staging Environment: Content and features may be unstable or change without notice.

Search for packages

Package details: pkg:maven/org.springframework.security/spring-security-core@3.0.0

Essentials
History (9)

purl	pkg:maven/org.springframework.security/spring-security-core@3.0.0
Tags	Ghost

Next non-vulnerable version	5.7.14
Latest non-vulnerable version	6.5.4
Risk	10.0

Vulnerabilities affecting this package (5)

Vulnerability	Summary	Fixed by
VCID-ev1k-za9z-87hq Aliases: CVE-2011-2732 GHSA-5xm9-rf63-wj7h	Improper Control of Generation of Code ('Code Injection') CRLF injection vulnerability in the logout functionality in VMware SpringSource Spring Security before 2.0.7 and 3.0.x before 3.0.6 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the spring-security-redirect parameter.	3.0.6 Affected by 0 other vulnerabilities. 3.0.6.RELEASE Affected by 8 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-n8yr-3aex-kyah Aliases: CVE-2010-3700 GHSA-3295-h9qx-r82x	Authentication Bypass Using an Alternate Path or Channel in SpringSource Spring Security and Acegi Security VMware SpringSource Spring Security 2.x before 2.0.6 and 3.x before 3.0.4, and Acegi Security 1.0.0 through 1.0.7, as used in IBM WebSphere Application Server (WAS) 6.1 and 7.0, allows remote attackers to bypass security constraints via a path parameter.	3.0.4 Affected by 0 other vulnerabilities. 3.0.4.RELEASE Affected by 11 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-nddv-1dfd-jfdd Aliases: CVE-2011-2731 GHSA-4644-hg35-55m9	Concurrent Execution using Shared Resource with Improper Synchronization in Spring Security Race condition in the RunAsManager mechanism in VMware SpringSource Spring Security before 2.0.7 and 3.0.x before 3.0.6 stores the Authentication object in the shared security context, which allows attackers to gain privileges via a crafted thread.	3.0.6 Affected by 0 other vulnerabilities. 3.0.6.RELEASE Affected by 8 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-sy5j-6rkg-n3b7 Aliases: CVE-2011-2894 GHSA-f866-m9mv-2xr3	Deserialization of Untrusted Data Spring Framework 3.0.0 through 3.0.5, Spring Security 3.0.0 through 3.0.5 and 2.0.0 through 2.0.6, and possibly other versions deserialize objects from untrusted sources, which allows remote attackers to bypass intended security restrictions and execute untrusted code by (1) serializing a java.lang.Proxy instance and using InvocationHandler, or (2) accessing internal AOP interfaces, as demonstrated using deserialization of a DefaultListableBeanFactory instance to execute arbitrary commands via the java.lang.Runtime class.	3.0.6 Affected by 0 other vulnerabilities. 3.0.6.RELEASE Affected by 8 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-w4q4-38gp-m3d8 Aliases: CVE-2012-5055 GHSA-3533-rvpc-6x56	Exposure of Sensitive Information to an Unauthorized Actor This package does not check the password if the user is not found, which makes the response delay shorter and might allow remote attackers to enumerate valid usernames via a series of login requests.	3.0.8 Affected by 0 other vulnerabilities. 3.0.8.RELEASE Affected by 7 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 3.1.3 Affected by 0 other vulnerabilities. 3.1.3.RELEASE Affected by 7 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerabilities fixed by this package (0)

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-04T14:31:49.675620+00:00	GHSA Importer	Affected by	VCID-ev1k-za9z-87hq	https://github.com/advisories/GHSA-5xm9-rf63-wj7h	38.1.0
2026-04-04T14:31:49.563076+00:00	GHSA Importer	Affected by	VCID-w4q4-38gp-m3d8	https://github.com/advisories/GHSA-3533-rvpc-6x56	38.1.0
2026-04-04T14:31:46.887950+00:00	GHSA Importer	Affected by	VCID-nddv-1dfd-jfdd	https://github.com/advisories/GHSA-4644-hg35-55m9	38.1.0
2026-04-04T14:30:48.984832+00:00	GHSA Importer	Affected by	VCID-sy5j-6rkg-n3b7	https://github.com/advisories/GHSA-f866-m9mv-2xr3	38.1.0
2026-04-04T14:30:45.834602+00:00	GHSA Importer	Affected by	VCID-n8yr-3aex-kyah	https://github.com/advisories/GHSA-3295-h9qx-r82x	38.1.0
2026-04-03T21:26:08.709889+00:00	GitLab Importer	Affected by	VCID-nddv-1dfd-jfdd	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework.security/spring-security-core/CVE-2011-2731.yml	38.1.0
2026-04-01T12:50:44.762386+00:00	GitLab Importer	Affected by	VCID-ev1k-za9z-87hq	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework.security/spring-security-core/CVE-2011-2732.yml	38.0.0
2026-04-01T12:50:35.149848+00:00	GitLab Importer	Affected by	VCID-sy5j-6rkg-n3b7	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework.security/spring-security-core/CVE-2011-2894.yml	38.0.0
2026-04-01T12:50:32.262807+00:00	GitLab Importer	Affected by	VCID-n8yr-3aex-kyah	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework.security/spring-security-core/CVE-2010-3700.yml	38.0.0