VulnerableCode Package Details - pkg:maven/org.springframework.security/spring-security-core@5.2.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-hedq-eav6-4fee Aliases: CVE-2020-5408 GHSA-2ppp-9496-p23q	Insufficient Entropy in Spring Security Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has been encrypted using such an encryptor may be able to derive the unencrypted values using a dictionary attack.	5.2.4 Affected by 0 other vulnerabilities. 5.2.4.RELEASE Affected by 5 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 5.3.2 Affected by 0 other vulnerabilities. 5.3.2.RELEASE Affected by 5 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-y1m6-bc5x-1bbb Aliases: CVE-2020-5407 GHSA-48rw-j489-928m	Signature wrapping vulnerability in Spring Security Spring Security versions 5.2.x prior to 5.2.4 and 5.3.x prior to 5.3.2 contain a signature wrapping vulnerability during SAML response validation. When using the spring-security-saml2-service-provider component, a malicious user can carefully modify an otherwise valid SAML response and append an arbitrary assertion that Spring Security will accept as valid.	5.2.4 Affected by 0 other vulnerabilities. 5.2.4.RELEASE Affected by 5 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 5.3.2 Affected by 0 other vulnerabilities. 5.3.2.RELEASE Affected by 5 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-ykkv-ahjn-d7eb Aliases: CVE-2021-22119 GHSA-w9jg-gvgr-354m	Incorrect Authorization Spring Security versions 5.5.x prior to 5.5.1, 5.4.x prior to 5.4.7, 5.3.x prior to 5.3.10 and 5.2.x prior to 5.2.11 are susceptible to a Denial-of-Service (DoS) attack via the initiation of the Authorization Request in an OAuth 2.0 Client Web and WebFlux application. A malicious user or attacker can send multiple requests initiating the Authorization Request for the Authorization Code Grant, which has the potential of exhausting system resources using a single session or multiple sessions.	5.2.11 Affected by 0 other vulnerabilities. 5.2.11.RELEASE Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 5.3.10 Affected by 0 other vulnerabilities. 5.3.10.RELEASE Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 5.4.7 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 5.5.1 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-hedq-eav6-4fee
Aliases:
CVE-2020-5408
GHSA-2ppp-9496-p23q

Insufficient Entropy in Spring Security Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has been encrypted using such an encryptor may be able to derive the unencrypted values using a dictionary attack.

5.2.4
Affected by 0 other vulnerabilities.

5.2.4.RELEASE
Affected by 5 other vulnerabilities.

5.3.2
Affected by 0 other vulnerabilities.

5.3.2.RELEASE
Affected by 5 other vulnerabilities.

VCID-y1m6-bc5x-1bbb
Aliases:
CVE-2020-5407
GHSA-48rw-j489-928m

Signature wrapping vulnerability in Spring Security Spring Security versions 5.2.x prior to 5.2.4 and 5.3.x prior to 5.3.2 contain a signature wrapping vulnerability during SAML response validation. When using the spring-security-saml2-service-provider component, a malicious user can carefully modify an otherwise valid SAML response and append an arbitrary assertion that Spring Security will accept as valid.

5.2.4
Affected by 0 other vulnerabilities.

5.2.4.RELEASE
Affected by 5 other vulnerabilities.

5.3.2
Affected by 0 other vulnerabilities.

5.3.2.RELEASE
Affected by 5 other vulnerabilities.

VCID-ykkv-ahjn-d7eb
Aliases:
CVE-2021-22119
GHSA-w9jg-gvgr-354m

Incorrect Authorization Spring Security versions 5.5.x prior to 5.5.1, 5.4.x prior to 5.4.7, 5.3.x prior to 5.3.10 and 5.2.x prior to 5.2.11 are susceptible to a Denial-of-Service (DoS) attack via the initiation of the Authorization Request in an OAuth 2.0 Client Web and WebFlux application. A malicious user or attacker can send multiple requests initiating the Authorization Request for the Authorization Code Grant, which has the potential of exhausting system resources using a single session or multiple sessions.

5.2.11
Affected by 0 other vulnerabilities.

5.2.11.RELEASE
Affected by 3 other vulnerabilities.

5.3.10
Affected by 0 other vulnerabilities.

5.3.10.RELEASE
Affected by 3 other vulnerabilities.

5.4.7
Affected by 3 other vulnerabilities.

5.5.1
Affected by 3 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-02T16:57:33.392983+00:00	GHSA Importer	Affected by	VCID-ykkv-ahjn-d7eb	https://github.com/advisories/GHSA-w9jg-gvgr-354m	38.1.0
2026-04-02T12:39:04.049625+00:00	GitLab Importer	Affected by	VCID-ykkv-ahjn-d7eb	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework.security/spring-security-core/CVE-2021-22119.yml	38.0.0
2026-04-02T12:36:47.901211+00:00	GitLab Importer	Affected by	VCID-y1m6-bc5x-1bbb	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework.security/spring-security-core/CVE-2020-5407.yml	38.0.0
2026-04-02T12:36:43.997273+00:00	GitLab Importer	Affected by	VCID-hedq-eav6-4fee	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework.security/spring-security-core/CVE-2020-5408.yml	38.0.0
2026-04-01T15:58:15.182156+00:00	GHSA Importer	Affected by	VCID-hedq-eav6-4fee	https://github.com/advisories/GHSA-2ppp-9496-p23q	38.0.0
2026-04-01T15:58:11.947472+00:00	GHSA Importer	Affected by	VCID-y1m6-bc5x-1bbb	https://github.com/advisories/GHSA-48rw-j489-928m	38.0.0