{"url":"http://public2.vulnerablecode.io/api/packages/181301?format=json","purl":"pkg:maven/org.springframework.security/spring-security-core@3.0.3.RELEASE","type":"maven","namespace":"org.springframework.security","name":"spring-security-core","version":"3.0.3.RELEASE","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"6.2.8","latest_non_vulnerable_version":"7.0.5","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/56284?format=json","vulnerability_id":"VCID-1ccn-qeh9-vqgn","summary":"This advisory has been marked as False-Positive and removed\nThe usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in authorization rules not working properly.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-38827.json","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-38827.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-38827","reference_id":"","reference_type":"","scores":[{"value":"0.00399","scoring_system":"epss","scoring_elements":"0.61004","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00399","scoring_system":"epss","scoring_elements":"0.61005","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00399","scoring_system":"epss","scoring_elements":"0.60985","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00399","scoring_system":"epss","scoring_elements":"0.61003","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00399","scoring_system":"epss","scoring_elements":"0.61013","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-38827"},{"reference_url":"https://github.com/spring-projects/spring-framework","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/spring-projects/spring-framework"},{"reference_url":"https://github.com/spring-projects/spring-framework/commit/11d4272ff48b4a4dabc4b28dfbff0364a4204bc9","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-framework/commit/11d4272ff48b4a4dabc4b28dfbff0364a4204bc9"},{"reference_url":"https://github.com/spring-projects/spring-framework/issues/33708","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-framework/issues/33708"},{"reference_url":"https://github.com/spring-projects/spring-framework/issues/34232","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-framework/issues/34232"},{"reference_url":"https://github.com/spring-projects/spring-security","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-security"},{"reference_url":"https://security.netapp.com/advisory/ntap-20250124-0007","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20250124-0007"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2329971","reference_id":"2329971","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2329971"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-38827","reference_id":"CVE-2024-38827","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-38827"},{"reference_url":"https://spring.io/security/cve-2024-38827","reference_id":"CVE-2024-38827","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-02T15:27:02Z/"}],"url":"https://spring.io/security/cve-2024-38827"},{"reference_url":"https://github.com/advisories/GHSA-q3v6-hm2v-pw99","reference_id":"GHSA-q3v6-hm2v-pw99","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-q3v6-hm2v-pw99"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/83376?format=json","purl":"pkg:maven/org.springframework.security/spring-security-core@5.7.14","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-tnva-qhzr-w3fe"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@5.7.14"},{"url":"http://public2.vulnerablecode.io/api/packages/83377?format=json","purl":"pkg:maven/org.springframework.security/spring-security-core@5.8.16","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-tnva-qhzr-w3fe"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@5.8.16"},{"url":"http://public2.vulnerablecode.io/api/packages/83378?format=json","purl":"pkg:maven/org.springframework.security/spring-security-core@6.0.14","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@6.0.14"},{"url":"http://public2.vulnerablecode.io/api/packages/83379?format=json","purl":"pkg:maven/org.springframework.security/spring-security-core@6.1.12","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@6.1.12"},{"url":"http://public2.vulnerablecode.io/api/packages/83380?format=json","purl":"pkg:maven/org.springframework.security/spring-security-core@6.2.8","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@6.2.8"},{"url":"http://public2.vulnerablecode.io/api/packages/83381?format=json","purl":"pkg:maven/org.springframework.security/spring-security-core@6.3.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-tnva-qhzr-w3fe"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@6.3.5"}],"aliases":["CVE-2024-38827","GHSA-q3v6-hm2v-pw99"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1ccn-qeh9-vqgn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38628?format=json","vulnerability_id":"VCID-28ru-qm8a-skg3","summary":"Access control bypass via untrusted infomation usage in proxy ticket authentication\nWhen using the CAS Proxy ticket authentication a malicious CAS Service could trick another CAS Service into authenticating a proxy ticket that was not associated. This is due to the fact that the proxy ticket authentication uses the information from the HttpServletRequest which is populated based upon untrusted information within the HTTP request. This means if there are access control restrictions on which CAS services can authenticate to one another, those restrictions can be bypassed. If users are not using CAS Proxy tickets and not basing access control decisions based upon the CAS Service, then there is no impact to users.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2014-3527.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2014-3527.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2014-3527","reference_id":"","reference_type":"","scores":[{"value":"0.00359","scoring_system":"epss","scoring_elements":"0.58396","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00359","scoring_system":"epss","scoring_elements":"0.58392","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00359","scoring_system":"epss","scoring_elements":"0.58372","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00359","scoring_system":"epss","scoring_elements":"0.58387","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00359","scoring_system":"epss","scoring_elements":"0.5834","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2014-3527"},{"reference_url":"https://github.com/spring-projects/spring-security","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-security"},{"reference_url":"https://github.com/spring-projects/spring-security/commit/2cb99f079152ac05cee5c90457c7feb3bb2de55","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/spring-projects/spring-security/commit/2cb99f079152ac05cee5c90457c7feb3bb2de55"},{"reference_url":"https://github.com/spring-projects/spring-security/commit/934937d9c1dc20c396b96c08310b72cfa627acb","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-security/commit/934937d9c1dc20c396b96c08310b72cfa627acb"},{"reference_url":"https://github.com/spring-projects/spring-security/issues/2907","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-security/issues/2907"},{"reference_url":"https://jira.spring.io/browse/SEC-2688","reference_id":"","reference_type":"","scores":[],"url":"https://jira.spring.io/browse/SEC-2688"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1131359","reference_id":"1131359","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1131359"},{"reference_url":"https://bugzilla.redhat.com/CVE-2014-3527","reference_id":"CVE-2014-3527","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/CVE-2014-3527"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2014-3527","reference_id":"CVE-2014-3527","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2014-3527"},{"reference_url":"https://pivotal.io/security/cve-2014-3527","reference_id":"CVE-2014-3527","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://pivotal.io/security/cve-2014-3527"},{"reference_url":"http://www.gopivotal.com/security/cve-2014-3527","reference_id":"CVE-2014-3527","reference_type":"","scores":[],"url":"http://www.gopivotal.com/security/cve-2014-3527"},{"reference_url":"https://spring.io/blog/2014/08/15/cve-2014-3527-fixed-in-spring-security-3-2-5-and-3-1-7","reference_id":"CVE-2014-3527-FIXED-IN-SPRING-SECURITY-3-2-5-AND-3-1-7","reference_type":"","scores":[],"url":"https://spring.io/blog/2014/08/15/cve-2014-3527-fixed-in-spring-security-3-2-5-and-3-1-7"},{"reference_url":"https://github.com/advisories/GHSA-wmv4-5w76-vp9g","reference_id":"GHSA-wmv4-5w76-vp9g","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-wmv4-5w76-vp9g"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/78683?format=json","purl":"pkg:maven/org.springframework.security/spring-security-core@3.1.7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@3.1.7"},{"url":"http://public2.vulnerablecode.io/api/packages/181309?format=json","purl":"pkg:maven/org.springframework.security/spring-security-core@3.1.7.RELEASE","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1ccn-qeh9-vqgn"},{"vulnerability":"VCID-46dm-5t83-tyh6"},{"vulnerability":"VCID-aygn-9njz-ybfh"},{"vulnerability":"VCID-p8md-ykt2-zyav"},{"vulnerability":"VCID-szph-1zgk-a7dt"},{"vulnerability":"VCID-vh4r-sk3t-eqe3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@3.1.7.RELEASE"},{"url":"http://public2.vulnerablecode.io/api/packages/78684?format=json","purl":"pkg:maven/org.springframework.security/spring-security-core@3.2.5","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@3.2.5"},{"url":"http://public2.vulnerablecode.io/api/packages/181314?format=json","purl":"pkg:maven/org.springframework.security/spring-security-core@3.2.5.RELEASE","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1ccn-qeh9-vqgn"},{"vulnerability":"VCID-46dm-5t83-tyh6"},{"vulnerability":"VCID-aygn-9njz-ybfh"},{"vulnerability":"VCID-p8md-ykt2-zyav"},{"vulnerability":"VCID-szph-1zgk-a7dt"},{"vulnerability":"VCID-vh4r-sk3t-eqe3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@3.2.5.RELEASE"}],"aliases":["CVE-2014-3527","GHSA-wmv4-5w76-vp9g"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-28ru-qm8a-skg3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38632?format=json","vulnerability_id":"VCID-46dm-5t83-tyh6","summary":"Spring Security / MVC Path Matching Inconsistency\nThis package rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring Framework provides richer features with regards to pattern matching as well as by the fact that pattern matching in each Spring Security and the Spring Framework can easily be customized creating additional differences.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-5007.json","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-5007.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2016-5007","reference_id":"","reference_type":"","scores":[{"value":"0.00155","scoring_system":"epss","scoring_elements":"0.359","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00155","scoring_system":"epss","scoring_elements":"0.35996","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00155","scoring_system":"epss","scoring_elements":"0.36005","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00155","scoring_system":"epss","scoring_elements":"0.35965","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00155","scoring_system":"epss","scoring_elements":"0.35923","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00155","scoring_system":"epss","scoring_elements":"0.35938","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2016-5007"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5007","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5007"},{"reference_url":"https://github.com/advisories/GHSA-8crv-49fr-2h6j","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8crv-49fr-2h6j"},{"reference_url":"https://github.com/spring-projects/spring-framework/commit/a30ab30e4e9ae021fdda04e9abfc228476b846b5","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-framework/commit/a30ab30e4e9ae021fdda04e9abfc228476b846b5"},{"reference_url":"https://github.com/spring-projects/spring-security/commit/e4c13e3c0ee7f06f59d3b43ca6734215ad7d8974","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-security/commit/e4c13e3c0ee7f06f59d3b43ca6734215ad7d8974"},{"reference_url":"https://github.com/spring-projects/spring-security/issues/3964","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-security/issues/3964"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2016-5007","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2016-5007"},{"reference_url":"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"},{"reference_url":"http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"},{"reference_url":"http://www.securityfocus.com/bid/91687","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.securityfocus.com/bid/91687"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1353902","reference_id":"1353902","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1353902"},{"reference_url":"https://pivotal.io/security/cve-2016-5007","reference_id":"CVE-2016-5007","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://pivotal.io/security/cve-2016-5007"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/143194?format=json","purl":"pkg:maven/org.springframework.security/spring-security-core@4.1.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@4.1.1"},{"url":"http://public2.vulnerablecode.io/api/packages/53620?format=json","purl":"pkg:maven/org.springframework.security/spring-security-core@4.1.1.RELEASE","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1ccn-qeh9-vqgn"},{"vulnerability":"VCID-2fan-h878-8faj"},{"vulnerability":"VCID-aygn-9njz-ybfh"},{"vulnerability":"VCID-h4kj-zdr8-wbdr"},{"vulnerability":"VCID-p8md-ykt2-zyav"},{"vulnerability":"VCID-szph-1zgk-a7dt"},{"vulnerability":"VCID-vh4r-sk3t-eqe3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@4.1.1.RELEASE"}],"aliases":["CVE-2016-5007","GHSA-8crv-49fr-2h6j"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-46dm-5t83-tyh6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/43864?format=json","vulnerability_id":"VCID-7kpg-9qh6-c7e6","summary":"Authentication Bypass Using an Alternate Path or Channel in SpringSource Spring Security and Acegi Security\nVMware SpringSource Spring Security 2.x before 2.0.6 and 3.x before 3.0.4, and Acegi Security 1.0.0 through 1.0.7, as used in IBM WebSphere Application Server (WAS) 6.1 and 7.0, allows remote attackers to bypass security constraints via a path parameter.","references":[{"reference_url":"http://osvdb.org/68931","reference_id":"","reference_type":"","scores":[],"url":"http://osvdb.org/68931"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2010-3700","reference_id":"","reference_type":"","scores":[{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48272","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48302","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48306","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48288","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.4826","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.4824","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2010-3700"},{"reference_url":"https://issues.apache.org/bugzilla/show_bug.cgi?id=25015","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://issues.apache.org/bugzilla/show_bug.cgi?id=25015"},{"reference_url":"https://web.archive.org/web/20110802082343/http://www.springsource.com/security/cve-2010-3700","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20110802082343/http://www.springsource.com/security/cve-2010-3700"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2010-3700","reference_id":"CVE-2010-3700","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2010-3700"},{"reference_url":"http://www.springsource.com/security/cve-2010-3700","reference_id":"CVE-2010-3700","reference_type":"","scores":[],"url":"http://www.springsource.com/security/cve-2010-3700"},{"reference_url":"https://github.com/advisories/GHSA-3295-h9qx-r82x","reference_id":"GHSA-3295-h9qx-r82x","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3295-h9qx-r82x"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/63117?format=json","purl":"pkg:maven/org.springframework.security/spring-security-core@3.0.4","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@3.0.4"},{"url":"http://public2.vulnerablecode.io/api/packages/181302?format=json","purl":"pkg:maven/org.springframework.security/spring-security-core@3.0.4.RELEASE","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1ccn-qeh9-vqgn"},{"vulnerability":"VCID-28ru-qm8a-skg3"},{"vulnerability":"VCID-46dm-5t83-tyh6"},{"vulnerability":"VCID-aygn-9njz-ybfh"},{"vulnerability":"VCID-gmn5-ykw3-cqf4"},{"vulnerability":"VCID-m3ht-28wc-yyeg"},{"vulnerability":"VCID-p8md-ykt2-zyav"},{"vulnerability":"VCID-szph-1zgk-a7dt"},{"vulnerability":"VCID-uxfq-rj43-a7bd"},{"vulnerability":"VCID-vh4r-sk3t-eqe3"},{"vulnerability":"VCID-zb97-bzya-4uek"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@3.0.4.RELEASE"}],"aliases":["CVE-2010-3700","GHSA-3295-h9qx-r82x"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7kpg-9qh6-c7e6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38439?format=json","vulnerability_id":"VCID-aygn-9njz-ybfh","summary":"Encoded \"/\" in path variables\nThis package does not consider URL path parameters when processing security constraints.Users of IBM WebSphere Application Server `8.5.x` are known to be affected. Users of other containers that implement the Servlet specification may be affected.","references":[{"reference_url":"https://access.redhat.com/errata/RHSA-2017:1832","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://access.redhat.com/errata/RHSA-2017:1832"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-9879.json","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-9879.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2016-9879","reference_id":"","reference_type":"","scores":[{"value":"0.00322","scoring_system":"epss","scoring_elements":"0.55601","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00322","scoring_system":"epss","scoring_elements":"0.55551","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00322","scoring_system":"epss","scoring_elements":"0.55608","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00322","scoring_system":"epss","scoring_elements":"0.55613","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00322","scoring_system":"epss","scoring_elements":"0.556","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00322","scoring_system":"epss","scoring_elements":"0.55582","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2016-9879"},{"reference_url":"https://github.com/spring-projects/spring-security/commit/666e356ebc479194ba51e43bb99fc42f849b6175","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/spring-projects/spring-security/commit/666e356ebc479194ba51e43bb99fc42f849b6175"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2016-9879","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2016-9879"},{"reference_url":"http://www.securityfocus.com/bid/95142","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.securityfocus.com/bid/95142"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1409838","reference_id":"1409838","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1409838"},{"reference_url":"https://pivotal.io/security/cve-2016-9879","reference_id":"CVE-2016-9879","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://pivotal.io/security/cve-2016-9879"},{"reference_url":"https://github.com/advisories/GHSA-v35c-49j6-q8hq","reference_id":"GHSA-v35c-49j6-q8hq","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-v35c-49j6-q8hq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/53174?format=json","purl":"pkg:maven/org.springframework.security/spring-security-core@3.2.10.RELEASE","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1ccn-qeh9-vqgn"},{"vulnerability":"VCID-46dm-5t83-tyh6"},{"vulnerability":"VCID-p8md-ykt2-zyav"},{"vulnerability":"VCID-szph-1zgk-a7dt"},{"vulnerability":"VCID-vh4r-sk3t-eqe3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@3.2.10.RELEASE"},{"url":"http://public2.vulnerablecode.io/api/packages/53175?format=json","purl":"pkg:maven/org.springframework.security/spring-security-core@4.1.4.RELEASE","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1ccn-qeh9-vqgn"},{"vulnerability":"VCID-2fan-h878-8faj"},{"vulnerability":"VCID-h4kj-zdr8-wbdr"},{"vulnerability":"VCID-p8md-ykt2-zyav"},{"vulnerability":"VCID-szph-1zgk-a7dt"},{"vulnerability":"VCID-vh4r-sk3t-eqe3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@4.1.4.RELEASE"},{"url":"http://public2.vulnerablecode.io/api/packages/53176?format=json","purl":"pkg:maven/org.springframework.security/spring-security-core@4.2.1.RELEASE","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1ccn-qeh9-vqgn"},{"vulnerability":"VCID-2fan-h878-8faj"},{"vulnerability":"VCID-3jmf-5kbf-bbe2"},{"vulnerability":"VCID-3p1k-4ges-1fev"},{"vulnerability":"VCID-efx3-b7vv-nfde"},{"vulnerability":"VCID-h4kj-zdr8-wbdr"},{"vulnerability":"VCID-p8md-ykt2-zyav"},{"vulnerability":"VCID-szph-1zgk-a7dt"},{"vulnerability":"VCID-vh4r-sk3t-eqe3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@4.2.1.RELEASE"}],"aliases":["CVE-2016-9879","GHSA-v35c-49j6-q8hq"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-aygn-9njz-ybfh"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/43863?format=json","vulnerability_id":"VCID-gmn5-ykw3-cqf4","summary":"Deserialization of Untrusted Data\nSpring Framework 3.0.0 through 3.0.5, Spring Security 3.0.0 through 3.0.5 and 2.0.0 through 2.0.6, and possibly other versions deserialize objects from untrusted sources, which allows remote attackers to bypass intended security restrictions and execute untrusted code by (1) serializing a java.lang.Proxy instance and using InvocationHandler, or (2) accessing internal AOP interfaces, as demonstrated using deserialization of a DefaultListableBeanFactory instance to execute arbitrary commands via the java.lang.Runtime class.","references":[{"reference_url":"http://osvdb.org/75263","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://osvdb.org/75263"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2011-2894.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2011-2894.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2011-2894","reference_id":"","reference_type":"","scores":[{"value":"0.01998","scoring_system":"epss","scoring_elements":"0.83995","published_at":"2026-06-09T12:55:00Z"},{"value":"0.01998","scoring_system":"epss","scoring_elements":"0.83981","published_at":"2026-06-08T12:55:00Z"},{"value":"0.01998","scoring_system":"epss","scoring_elements":"0.83993","published_at":"2026-06-05T12:55:00Z"},{"value":"0.01998","scoring_system":"epss","scoring_elements":"0.83991","published_at":"2026-06-07T12:55:00Z"},{"value":"0.01998","scoring_system":"epss","scoring_elements":"0.83996","published_at":"2026-06-06T12:55:00Z"},{"value":"0.01998","scoring_system":"epss","scoring_elements":"0.8397","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2011-2894"},{"reference_url":"http://securityreason.com/securityalert/8405","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://securityreason.com/securityalert/8405"},{"reference_url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/69687","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/69687"},{"reference_url":"https://github.com/spring-projects/spring-framework","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-framework"},{"reference_url":"https://github.com/spring-projects/spring-framework/commit/070a723ef2c886770a063eb9a67f84f74e06edfb","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-framework/commit/070a723ef2c886770a063eb9a67f84f74e06edfb"},{"reference_url":"http://www.redhat.com/support/errata/RHSA-2011-1334.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.redhat.com/support/errata/RHSA-2011-1334.html"},{"reference_url":"http://www.securityfocus.com/archive/1/519593/100/0/threaded","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.securityfocus.com/archive/1/519593/100/0/threaded"},{"reference_url":"http://www.securityfocus.com/bid/49536","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.securityfocus.com/bid/49536"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=737611","reference_id":"737611","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=737611"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2011-2894","reference_id":"CVE-2011-2894","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2011-2894"},{"reference_url":"https://web.archive.org/web/20120307233721/http://www.springsource.com/security/cve-2011-2894","reference_id":"CVE-2011-2894","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20120307233721/http://www.springsource.com/security/cve-2011-2894"},{"reference_url":"http://www.springsource.com/security/cve-2011-2894","reference_id":"CVE-2011-2894","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.springsource.com/security/cve-2011-2894"},{"reference_url":"https://github.com/advisories/GHSA-f866-m9mv-2xr3","reference_id":"GHSA-f866-m9mv-2xr3","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-f866-m9mv-2xr3"},{"reference_url":"https://access.redhat.com/errata/RHSA-2011:1334","reference_id":"RHSA-2011:1334","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2011:1334"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/63208?format=json","purl":"pkg:maven/org.springframework.security/spring-security-core@3.0.6","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@3.0.6"},{"url":"http://public2.vulnerablecode.io/api/packages/181304?format=json","purl":"pkg:maven/org.springframework.security/spring-security-core@3.0.6.RELEASE","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1ccn-qeh9-vqgn"},{"vulnerability":"VCID-28ru-qm8a-skg3"},{"vulnerability":"VCID-46dm-5t83-tyh6"},{"vulnerability":"VCID-aygn-9njz-ybfh"},{"vulnerability":"VCID-m3ht-28wc-yyeg"},{"vulnerability":"VCID-p8md-ykt2-zyav"},{"vulnerability":"VCID-szph-1zgk-a7dt"},{"vulnerability":"VCID-vh4r-sk3t-eqe3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@3.0.6.RELEASE"}],"aliases":["CVE-2011-2894","GHSA-f866-m9mv-2xr3"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gmn5-ykw3-cqf4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37472?format=json","vulnerability_id":"VCID-m3ht-28wc-yyeg","summary":"Exposure of Sensitive Information to an Unauthorized Actor\nThis package does not check the password if the user is not found, which makes the response delay shorter and might allow remote attackers to enumerate valid usernames via a series of login requests.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2012-5055.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2012-5055.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2012-5055","reference_id":"","reference_type":"","scores":[{"value":"0.00359","scoring_system":"epss","scoring_elements":"0.58412","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00359","scoring_system":"epss","scoring_elements":"0.58419","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00359","scoring_system":"epss","scoring_elements":"0.5841","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00359","scoring_system":"epss","scoring_elements":"0.58396","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00359","scoring_system":"epss","scoring_elements":"0.58364","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00359","scoring_system":"epss","scoring_elements":"0.58411","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2012-5055"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2012-5055","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2012-5055"},{"reference_url":"http://support.springsource.com/security/CVE-2012-5055","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://support.springsource.com/security/CVE-2012-5055"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=886031","reference_id":"886031","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=886031"},{"reference_url":"http://support.springsource.com/security/cve-2012-5055","reference_id":"CVE-2012-5055","reference_type":"","scores":[],"url":"http://support.springsource.com/security/cve-2012-5055"},{"reference_url":"https://github.com/advisories/GHSA-3533-rvpc-6x56","reference_id":"GHSA-3533-rvpc-6x56","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3533-rvpc-6x56"},{"reference_url":"https://access.redhat.com/errata/RHSA-2013:0649","reference_id":"RHSA-2013:0649","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2013:0649"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/156062?format=json","purl":"pkg:maven/org.springframework.security/spring-security-core@3.0.8","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@3.0.8"},{"url":"http://public2.vulnerablecode.io/api/packages/51341?format=json","purl":"pkg:maven/org.springframework.security/spring-security-core@3.0.8.RELEASE","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1ccn-qeh9-vqgn"},{"vulnerability":"VCID-28ru-qm8a-skg3"},{"vulnerability":"VCID-46dm-5t83-tyh6"},{"vulnerability":"VCID-aygn-9njz-ybfh"},{"vulnerability":"VCID-p8md-ykt2-zyav"},{"vulnerability":"VCID-szph-1zgk-a7dt"},{"vulnerability":"VCID-vh4r-sk3t-eqe3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@3.0.8.RELEASE"},{"url":"http://public2.vulnerablecode.io/api/packages/156064?format=json","purl":"pkg:maven/org.springframework.security/spring-security-core@3.1.3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@3.1.3"},{"url":"http://public2.vulnerablecode.io/api/packages/51342?format=json","purl":"pkg:maven/org.springframework.security/spring-security-core@3.1.3.RELEASE","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1ccn-qeh9-vqgn"},{"vulnerability":"VCID-28ru-qm8a-skg3"},{"vulnerability":"VCID-46dm-5t83-tyh6"},{"vulnerability":"VCID-aygn-9njz-ybfh"},{"vulnerability":"VCID-p8md-ykt2-zyav"},{"vulnerability":"VCID-szph-1zgk-a7dt"},{"vulnerability":"VCID-vh4r-sk3t-eqe3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@3.1.3.RELEASE"}],"aliases":["CVE-2012-5055","GHSA-3533-rvpc-6x56"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-m3ht-28wc-yyeg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/47267?format=json","vulnerability_id":"VCID-p8md-ykt2-zyav","summary":"Erroneous authentication pass in Spring Security\nIn Spring Security, versions 5.7.x prior to 5.7.12, 5.8.x prior to 5.8.11, versions 6.0.x prior to 6.0.9, versions 6.1.x prior to 6.1.8, versions 6.2.x prior to 6.2.3, an application is possible vulnerable to broken access control when it directly uses the AuthenticatedVoter#vote passing a null Authentication parameter.\n\nSpecifically, an application is vulnerable if:\n\nThe application uses AuthenticatedVoter directly and a null authentication parameter is passed to it resulting in an erroneous true return value.\n\nAn application is not vulnerable if any of the following is true:\n\n* The application does not use AuthenticatedVoter#vote directly.\n* The application does not pass null to AuthenticatedVoter#vote.\n\nNote that AuthenticatedVoter is deprecated since 5.8, use implementations of AuthorizationManager as a replacement.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-22257.json","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-22257.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-22257","reference_id":"","reference_type":"","scores":[{"value":"0.00264","scoring_system":"epss","scoring_elements":"0.50013","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00394","scoring_system":"epss","scoring_elements":"0.6064","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00394","scoring_system":"epss","scoring_elements":"0.60652","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00394","scoring_system":"epss","scoring_elements":"0.60641","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00394","scoring_system":"epss","scoring_elements":"0.60624","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-22257"},{"reference_url":"https://github.com/spring-projects/spring-security","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-security"},{"reference_url":"https://github.com/spring-projects/spring-security/commit/5a7f12f1a9fdb4edaab6f61495f1d781a7273b61","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-security/commit/5a7f12f1a9fdb4edaab6f61495f1d781a7273b61"},{"reference_url":"https://security.netapp.com/advisory/ntap-20240419-0005","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20240419-0005"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2270158","reference_id":"2270158","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2270158"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-22257","reference_id":"CVE-2024-22257","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-22257"},{"reference_url":"https://spring.io/security/cve-2024-22257","reference_id":"CVE-2024-22257","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-11-12T15:22:14Z/"}],"url":"https://spring.io/security/cve-2024-22257"},{"reference_url":"https://github.com/advisories/GHSA-f3jh-qvm4-mg39","reference_id":"GHSA-f3jh-qvm4-mg39","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-f3jh-qvm4-mg39"},{"reference_url":"https://security.netapp.com/advisory/ntap-20240419-0005/","reference_id":"ntap-20240419-0005","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-11-12T15:22:14Z/"}],"url":"https://security.netapp.com/advisory/ntap-20240419-0005/"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:3708","reference_id":"RHSA-2024:3708","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:3708"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/69437?format=json","purl":"pkg:maven/org.springframework.security/spring-security-core@5.7.12","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1ccn-qeh9-vqgn"},{"vulnerability":"VCID-tnva-qhzr-w3fe"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@5.7.12"},{"url":"http://public2.vulnerablecode.io/api/packages/69438?format=json","purl":"pkg:maven/org.springframework.security/spring-security-core@5.8.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1ccn-qeh9-vqgn"},{"vulnerability":"VCID-tnva-qhzr-w3fe"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@5.8.11"},{"url":"http://public2.vulnerablecode.io/api/packages/69439?format=json","purl":"pkg:maven/org.springframework.security/spring-security-core@6.1.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1ccn-qeh9-vqgn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@6.1.8"},{"url":"http://public2.vulnerablecode.io/api/packages/69440?format=json","purl":"pkg:maven/org.springframework.security/spring-security-core@6.2.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1ccn-qeh9-vqgn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@6.2.3"}],"aliases":["CVE-2024-22257","GHSA-f3jh-qvm4-mg39"],"risk_score":4.4,"exploitability":"0.5","weighted_severity":"8.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-p8md-ykt2-zyav"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/102640?format=json","vulnerability_id":"VCID-szph-1zgk-a7dt","summary":"springframework: BCrypt skips salt rounds for work factor of 31","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-22976.json","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-22976.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-22976","reference_id":"","reference_type":"","scores":[{"value":"0.0036","scoring_system":"epss","scoring_elements":"0.58516","published_at":"2026-06-05T12:55:00Z"},{"value":"0.0036","scoring_system":"epss","scoring_elements":"0.58526","published_at":"2026-06-06T12:55:00Z"},{"value":"0.0036","scoring_system":"epss","scoring_elements":"0.5847","published_at":"2026-06-04T12:55:00Z"},{"value":"0.0036","scoring_system":"epss","scoring_elements":"0.58519","published_at":"2026-06-09T12:55:00Z"},{"value":"0.0036","scoring_system":"epss","scoring_elements":"0.58503","published_at":"2026-06-08T12:55:00Z"},{"value":"0.0036","scoring_system":"epss","scoring_elements":"0.58518","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-22976"},{"reference_url":"https://github.com/spring-projects/spring-security","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-security"},{"reference_url":"https://github.com/spring-projects/spring-security/commit/388a7b62b906bd56deadb7ca45248fa1a63bdf12","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-security/commit/388a7b62b906bd56deadb7ca45248fa1a63bdf12"},{"reference_url":"https://github.com/spring-projects/spring-security/commit/a40f73521c0dd88b879ff6165d280e78bdf8154f","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-security/commit/a40f73521c0dd88b879ff6165d280e78bdf8154f"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-22976","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-22976"},{"reference_url":"https://security.netapp.com/advisory/ntap-20220707-0003","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20220707-0003"},{"reference_url":"https://tanzu.vmware.com/security/cve-2022-22976","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://tanzu.vmware.com/security/cve-2022-22976"},{"reference_url":"https://www.oracle.com/security-alerts/cpujul2022.html","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2087214","reference_id":"2087214","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2087214"},{"reference_url":"https://github.com/advisories/GHSA-wx54-3278-m5g4","reference_id":"GHSA-wx54-3278-m5g4","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-wx54-3278-m5g4"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:5532","reference_id":"RHSA-2022:5532","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:5532"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:3663","reference_id":"RHSA-2023:3663","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:3663"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/152911?format=json","purl":"pkg:maven/org.springframework.security/spring-security-core@5.5.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1ccn-qeh9-vqgn"},{"vulnerability":"VCID-p8md-ykt2-zyav"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@5.5.7"},{"url":"http://public2.vulnerablecode.io/api/packages/152912?format=json","purl":"pkg:maven/org.springframework.security/spring-security-core@5.6.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1ccn-qeh9-vqgn"},{"vulnerability":"VCID-gmgk-38nq-mkfb"},{"vulnerability":"VCID-p8md-ykt2-zyav"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@5.6.4"}],"aliases":["CVE-2022-22976","GHSA-wx54-3278-m5g4"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-szph-1zgk-a7dt"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/111469?format=json","vulnerability_id":"VCID-uxfq-rj43-a7bd","summary":"Concurrent Execution using Shared Resource with Improper Synchronization in Spring Security\nRace condition in the RunAsManager mechanism in VMware SpringSource Spring Security before 2.0.7 and 3.0.x before 3.0.6 stores the Authentication object in the shared security context, which allows attackers to gain privileges via a crafted thread.","references":[{"reference_url":"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=677814","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=677814"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2011-2731.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2011-2731.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2011-2731","reference_id":"","reference_type":"","scores":[{"value":"0.00227","scoring_system":"epss","scoring_elements":"0.45555","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00227","scoring_system":"epss","scoring_elements":"0.45582","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00227","scoring_system":"epss","scoring_elements":"0.45587","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00227","scoring_system":"epss","scoring_elements":"0.45567","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00227","scoring_system":"epss","scoring_elements":"0.45542","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00227","scoring_system":"epss","scoring_elements":"0.45514","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2011-2731"},{"reference_url":"https://github.com/spring-projects/spring-security","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-security"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2011-2731","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2011-2731"},{"reference_url":"http://support.springsource.com/security/cve-2011-2731","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://support.springsource.com/security/cve-2011-2731"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=737613","reference_id":"737613","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=737613"},{"reference_url":"https://github.com/advisories/GHSA-4644-hg35-55m9","reference_id":"GHSA-4644-hg35-55m9","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4644-hg35-55m9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/63208?format=json","purl":"pkg:maven/org.springframework.security/spring-security-core@3.0.6","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@3.0.6"},{"url":"http://public2.vulnerablecode.io/api/packages/181304?format=json","purl":"pkg:maven/org.springframework.security/spring-security-core@3.0.6.RELEASE","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1ccn-qeh9-vqgn"},{"vulnerability":"VCID-28ru-qm8a-skg3"},{"vulnerability":"VCID-46dm-5t83-tyh6"},{"vulnerability":"VCID-aygn-9njz-ybfh"},{"vulnerability":"VCID-m3ht-28wc-yyeg"},{"vulnerability":"VCID-p8md-ykt2-zyav"},{"vulnerability":"VCID-szph-1zgk-a7dt"},{"vulnerability":"VCID-vh4r-sk3t-eqe3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@3.0.6.RELEASE"}],"aliases":["CVE-2011-2731","GHSA-4644-hg35-55m9"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-uxfq-rj43-a7bd"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/5680?format=json","vulnerability_id":"VCID-vh4r-sk3t-eqe3","summary":"privilege escalation","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22112.json","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22112.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-22112","reference_id":"","reference_type":"","scores":[{"value":"0.00979","scoring_system":"epss","scoring_elements":"0.77093","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00979","scoring_system":"epss","scoring_elements":"0.77124","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00979","scoring_system":"epss","scoring_elements":"0.77123","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00979","scoring_system":"epss","scoring_elements":"0.77114","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00979","scoring_system":"epss","scoring_elements":"0.77135","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-22112"},{"reference_url":"https://github.com/spring-projects/spring-security","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-security"},{"reference_url":"https://github.com/spring-projects/spring-security/releases/tag/5.4.4","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-security/releases/tag/5.4.4"},{"reference_url":"https://lists.apache.org/thread.html/r163b3e4e39803882f5be05ee8606b2b9812920e196daa2a82997ce14@%3Cpluto-dev.portals.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r163b3e4e39803882f5be05ee8606b2b9812920e196daa2a82997ce14@%3Cpluto-dev.portals.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r2cb05e499807900ba23e539643eead9c5f0652fd271f223f89da1804@%3Cpluto-scm.portals.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r2cb05e499807900ba23e539643eead9c5f0652fd271f223f89da1804@%3Cpluto-scm.portals.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r37423ec7eea340e92a409452c35b649dce02fdc467f0b3f52086c177@%3Cpluto-dev.portals.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r37423ec7eea340e92a409452c35b649dce02fdc467f0b3f52086c177@%3Cpluto-dev.portals.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r3868207b967f926819fe3aa8d33f1666429be589bb4a62104a49f4e3@%3Cpluto-dev.portals.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r3868207b967f926819fe3aa8d33f1666429be589bb4a62104a49f4e3@%3Cpluto-dev.portals.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r390783b3b1c59b978131ac08390bf77fbb3863270cbde59d5b0f5fde@%3Cpluto-dev.portals.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r390783b3b1c59b978131ac08390bf77fbb3863270cbde59d5b0f5fde@%3Cpluto-dev.portals.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r413e380088c427f56102968df89ef2f336473e1b56b7d4b3a571a378@%3Cpluto-dev.portals.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r413e380088c427f56102968df89ef2f336473e1b56b7d4b3a571a378@%3Cpluto-dev.portals.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r89aa1b48a827f5641310305214547f1d6b2101971a49b624737c497f@%3Cpluto-dev.portals.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r89aa1b48a827f5641310305214547f1d6b2101971a49b624737c497f@%3Cpluto-dev.portals.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/ra53677224fe4f04c2599abc88032076faa18dc84b329cdeba85d4cfc@%3Cpluto-scm.portals.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/ra53677224fe4f04c2599abc88032076faa18dc84b329cdeba85d4cfc@%3Cpluto-scm.portals.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/ra6389b1b82108a3b6bbcd22979f7665fd437c2a3408c9509a15a9ca1@%3Cpluto-dev.portals.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/ra6389b1b82108a3b6bbcd22979f7665fd437c2a3408c9509a15a9ca1@%3Cpluto-dev.portals.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/redbd004a503b3520ae5746c2ab5e93fd7da807a8c128e60d2002cd9b@%3Cissues.nifi.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/redbd004a503b3520ae5746c2ab5e93fd7da807a8c128e60d2002cd9b@%3Cissues.nifi.apache.org%3E"},{"reference_url":"https://www.jenkins.io/security/advisory/2021-02-19","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.jenkins.io/security/advisory/2021-02-19"},{"reference_url":"https://www.jenkins.io/security/advisory/2021-02-19/","reference_id":"","reference_type":"","scores":[],"url":"https://www.jenkins.io/security/advisory/2021-02-19/"},{"reference_url":"https://www.oracle.com/security-alerts/cpuApr2021.html","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"reference_url":"https://www.oracle.com//security-alerts/cpujul2021.html","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpuoct2021.html","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpuoct2021.html"},{"reference_url":"http://www.openwall.com/lists/oss-security/2021/02/19/7","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2021/02/19/7"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1931453","reference_id":"1931453","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1931453"},{"reference_url":"https://security.archlinux.org/AVG-1595","reference_id":"AVG-1595","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1595"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-22112","reference_id":"CVE-2021-22112","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-22112"},{"reference_url":"https://tanzu.vmware.com/security/cve-2021-22112","reference_id":"CVE-2021-22112","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://tanzu.vmware.com/security/cve-2021-22112"},{"reference_url":"https://github.com/advisories/GHSA-gq28-h5vg-8prx","reference_id":"GHSA-gq28-h5vg-8prx","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-gq28-h5vg-8prx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/79810?format=json","purl":"pkg:maven/org.springframework.security/spring-security-core@5.2.9","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@5.2.9"},{"url":"http://public2.vulnerablecode.io/api/packages/289983?format=json","purl":"pkg:maven/org.springframework.security/spring-security-core@5.2.9.RELEASE","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1ccn-qeh9-vqgn"},{"vulnerability":"VCID-p8md-ykt2-zyav"},{"vulnerability":"VCID-szph-1zgk-a7dt"},{"vulnerability":"VCID-ux7y-j3kn-b7fg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@5.2.9.RELEASE"},{"url":"http://public2.vulnerablecode.io/api/packages/79809?format=json","purl":"pkg:maven/org.springframework.security/spring-security-core@5.3.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ux7y-j3kn-b7fg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@5.3.9"},{"url":"http://public2.vulnerablecode.io/api/packages/289990?format=json","purl":"pkg:maven/org.springframework.security/spring-security-core@5.3.9.RELEASE","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1ccn-qeh9-vqgn"},{"vulnerability":"VCID-p8md-ykt2-zyav"},{"vulnerability":"VCID-szph-1zgk-a7dt"},{"vulnerability":"VCID-ux7y-j3kn-b7fg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@5.3.9.RELEASE"},{"url":"http://public2.vulnerablecode.io/api/packages/79808?format=json","purl":"pkg:maven/org.springframework.security/spring-security-core@5.4.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1ccn-qeh9-vqgn"},{"vulnerability":"VCID-p8md-ykt2-zyav"},{"vulnerability":"VCID-szph-1zgk-a7dt"},{"vulnerability":"VCID-ux7y-j3kn-b7fg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@5.4.4"}],"aliases":["CVE-2021-22112","GHSA-gq28-h5vg-8prx"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vh4r-sk3t-eqe3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/44172?format=json","vulnerability_id":"VCID-zb97-bzya-4uek","summary":"Improper Control of Generation of Code ('Code Injection')\nCRLF injection vulnerability in the logout functionality in VMware SpringSource Spring Security before 2.0.7 and 3.0.x before 3.0.6 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the spring-security-redirect parameter.","references":[{"reference_url":"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=677814","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=677814"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2011-2732.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2011-2732.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2011-2732","reference_id":"","reference_type":"","scores":[{"value":"0.07155","scoring_system":"epss","scoring_elements":"0.91732","published_at":"2026-06-09T12:55:00Z"},{"value":"0.07155","scoring_system":"epss","scoring_elements":"0.91721","published_at":"2026-06-05T12:55:00Z"},{"value":"0.07155","scoring_system":"epss","scoring_elements":"0.91724","published_at":"2026-06-06T12:55:00Z"},{"value":"0.07155","scoring_system":"epss","scoring_elements":"0.9172","published_at":"2026-06-07T12:55:00Z"},{"value":"0.07155","scoring_system":"epss","scoring_elements":"0.91718","published_at":"2026-06-08T12:55:00Z"},{"value":"0.07155","scoring_system":"epss","scoring_elements":"0.91709","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2011-2732"},{"reference_url":"https://github.com/spring-projects/spring-security","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/spring-projects/spring-security"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=737617","reference_id":"737617","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=737617"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2011-2732","reference_id":"CVE-2011-2732","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2011-2732"},{"reference_url":"http://support.springsource.com/security/cve-2011-2732","reference_id":"CVE-2011-2732","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://support.springsource.com/security/cve-2011-2732"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/remote/36130.txt","reference_id":"CVE-2011-2732;OSVDB-75266","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/remote/36130.txt"},{"reference_url":"https://www.securityfocus.com/bid/49535/info","reference_id":"CVE-2011-2732;OSVDB-75266","reference_type":"exploit","scores":[],"url":"https://www.securityfocus.com/bid/49535/info"},{"reference_url":"https://github.com/advisories/GHSA-5xm9-rf63-wj7h","reference_id":"GHSA-5xm9-rf63-wj7h","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-5xm9-rf63-wj7h"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/63208?format=json","purl":"pkg:maven/org.springframework.security/spring-security-core@3.0.6","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@3.0.6"},{"url":"http://public2.vulnerablecode.io/api/packages/181304?format=json","purl":"pkg:maven/org.springframework.security/spring-security-core@3.0.6.RELEASE","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1ccn-qeh9-vqgn"},{"vulnerability":"VCID-28ru-qm8a-skg3"},{"vulnerability":"VCID-46dm-5t83-tyh6"},{"vulnerability":"VCID-aygn-9njz-ybfh"},{"vulnerability":"VCID-m3ht-28wc-yyeg"},{"vulnerability":"VCID-p8md-ykt2-zyav"},{"vulnerability":"VCID-szph-1zgk-a7dt"},{"vulnerability":"VCID-vh4r-sk3t-eqe3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@3.0.6.RELEASE"}],"aliases":["CVE-2011-2732","GHSA-5xm9-rf63-wj7h"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zb97-bzya-4uek"}],"fixing_vulnerabilities":[],"risk_score":"10.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@3.0.3.RELEASE"}