Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:maven/org.springframework.security/spring-security-core@5.1.0
purl pkg:maven/org.springframework.security/spring-security-core@5.1.0
Tags Ghost
Next non-vulnerable version 5.7.14
Latest non-vulnerable version 6.5.4
Risk 4.0
Vulnerabilities affecting this package (3)
Vulnerability Summary Fixed by
VCID-f3g5-hamr-6yar
Aliases:
CVE-2019-3795
GHSA-v2r2-7qm7-jj6v
Insufficient Entropy in PRNG Spring Security contain an insecure randomness vulnerability when using `SecureRandomFactoryBean#setSeed` to configure a `SecureRandom` instance. In order to be impacted, an honest application must provide a seed and make the resulting random material available to an attacker for inspection.
5.1.5
Affected by 0 other vulnerabilities.
5.1.5.RELEASE
Affected by 5 other vulnerabilities.
5.1.6.RELEASE
Affected by 5 other vulnerabilities.
VCID-hedq-eav6-4fee
Aliases:
CVE-2020-5408
GHSA-2ppp-9496-p23q
Insufficient Entropy in Spring Security Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has been encrypted using such an encryptor may be able to derive the unencrypted values using a dictionary attack.
5.1.10
Affected by 0 other vulnerabilities.
5.1.10.RELEASE
Affected by 4 other vulnerabilities.
5.2.4
Affected by 0 other vulnerabilities.
5.2.4.RELEASE
Affected by 5 other vulnerabilities.
5.3.2
Affected by 0 other vulnerabilities.
5.3.2.RELEASE
Affected by 5 other vulnerabilities.
VCID-zdpx-scsg-uyfw
Aliases:
CVE-2018-15801
GHSA-27xw-p8v6-9jjr
Spring Security versions 5.1.x prior to 5.1.2 contain an authorization bypass vulnerability during JWT issuer validation. In order to be impacted, the same private key for an honest issuer and a malicious user must be used when signing JWTs. In that case, a malicious user could fashion signed JWTs with the malicious issuer URL that may be granted for the honest issuer.
5.1.2
Affected by 0 other vulnerabilities.
5.1.2.RELEASE
Affected by 6 other vulnerabilities.
Vulnerabilities fixed by this package (0)
Vulnerability Summary Aliases
This package is not known to fix vulnerabilities.

Date Actor Action Vulnerability Source VulnerableCode Version
2026-04-02T12:36:43.993734+00:00 GitLab Importer Affected by VCID-hedq-eav6-4fee https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework.security/spring-security-core/CVE-2020-5408.yml 38.0.0
2026-04-01T15:58:15.276156+00:00 GHSA Importer Affected by VCID-hedq-eav6-4fee https://github.com/advisories/GHSA-2ppp-9496-p23q 38.0.0
2026-04-01T15:57:25.711443+00:00 GHSA Importer Affected by VCID-f3g5-hamr-6yar https://github.com/advisories/GHSA-v2r2-7qm7-jj6v 38.0.0
2026-04-01T15:57:08.813646+00:00 GHSA Importer Affected by VCID-zdpx-scsg-uyfw https://github.com/advisories/GHSA-27xw-p8v6-9jjr 38.0.0
2026-04-01T12:48:12.148748+00:00 GitLab Importer Affected by VCID-zdpx-scsg-uyfw https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework.security/spring-security-core/CVE-2018-15801.yml 38.0.0