Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:maven/org.springframework.security/spring-security-core@5.8.4
Typemaven
Namespaceorg.springframework.security
Namespring-security-core
Version5.8.4
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version6.2.8
Latest_non_vulnerable_version7.0.5
Affected_by_vulnerabilities
0
url VCID-1ccn-qeh9-vqgn
vulnerability_id VCID-1ccn-qeh9-vqgn
summary 
This advisory has been marked as False-Positive and removed
The usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in authorization rules not working properly.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-38827.json
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-38827.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-38827
reference_id
reference_type
scores
0
value 0.00399
scoring_system epss
scoring_elements 0.61004
published_at 2026-06-09T12:55:00Z
1
value 0.00399
scoring_system epss
scoring_elements 0.61005
published_at 2026-06-05T12:55:00Z
2
value 0.00399
scoring_system epss
scoring_elements 0.60985
published_at 2026-06-08T12:55:00Z
3
value 0.00399
scoring_system epss
scoring_elements 0.61003
published_at 2026-06-07T12:55:00Z
4
value 0.00399
scoring_system epss
scoring_elements 0.61013
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-38827
2
reference_url https://github.com/spring-projects/spring-framework
reference_id
reference_type
scores
url https://github.com/spring-projects/spring-framework
3
reference_url https://github.com/spring-projects/spring-framework/commit/11d4272ff48b4a4dabc4b28dfbff0364a4204bc9
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/spring-projects/spring-framework/commit/11d4272ff48b4a4dabc4b28dfbff0364a4204bc9
4
reference_url https://github.com/spring-projects/spring-framework/issues/33708
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/spring-projects/spring-framework/issues/33708
5
reference_url https://github.com/spring-projects/spring-framework/issues/34232
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/spring-projects/spring-framework/issues/34232
6
reference_url https://github.com/spring-projects/spring-security
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/spring-projects/spring-security
7
reference_url https://security.netapp.com/advisory/ntap-20250124-0007
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20250124-0007
8
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2329971
reference_id 2329971
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2329971
9
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-38827
reference_id CVE-2024-38827
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-38827
10
reference_url https://spring.io/security/cve-2024-38827
reference_id CVE-2024-38827
reference_type
scores
0
value 4.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-02T15:27:02Z/
url https://spring.io/security/cve-2024-38827
11
reference_url https://github.com/advisories/GHSA-q3v6-hm2v-pw99
reference_id GHSA-q3v6-hm2v-pw99
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-q3v6-hm2v-pw99
fixed_packages
0
url pkg:maven/org.springframework.security/spring-security-core@5.8.16
purl pkg:maven/org.springframework.security/spring-security-core@5.8.16
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-tnva-qhzr-w3fe
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@5.8.16
1
url pkg:maven/org.springframework.security/spring-security-core@6.0.14
purl pkg:maven/org.springframework.security/spring-security-core@6.0.14
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@6.0.14
2
url pkg:maven/org.springframework.security/spring-security-core@6.1.12
purl pkg:maven/org.springframework.security/spring-security-core@6.1.12
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@6.1.12
3
url pkg:maven/org.springframework.security/spring-security-core@6.2.8
purl pkg:maven/org.springframework.security/spring-security-core@6.2.8
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@6.2.8
4
url pkg:maven/org.springframework.security/spring-security-core@6.3.5
purl pkg:maven/org.springframework.security/spring-security-core@6.3.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-tnva-qhzr-w3fe
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@6.3.5
aliases CVE-2024-38827, GHSA-q3v6-hm2v-pw99
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-1ccn-qeh9-vqgn
1
url VCID-bxsu-s2pg-8bbt
vulnerability_id VCID-bxsu-s2pg-8bbt
summary 
Incorrect Authorization
Spring Security versions 5.8 prior to 5.8.5, 6.0 prior to 6.0.5, and 6.1 prior to 6.1.2 could be susceptible to authorization rule misconfiguration if the application uses requestMatchers(String) and multiple servlets, one of them being Spring MVC’s DispatcherServlet. (DispatcherServlet is a Spring MVC component that maps HTTP endpoints to methods on @Controller-annotated classes.)

Specifically, an application is vulnerable when all of the following are true:

 * Spring MVC is on the classpath
 * Spring Security is securing more than one servlet in a single application (one of them being Spring MVC’s DispatcherServlet)
 * The application uses requestMatchers(String) to refer to endpoints that are not Spring MVC endpoints


An application is not vulnerable if any of the following is true:

 * The application does not have Spring MVC on the classpath
 * The application secures no servlets other than Spring MVC’s DispatcherServlet
 * The application uses requestMatchers(String) only for Spring MVC endpoints
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-34035
reference_id
reference_type
scores
0
value 0.02632
scoring_system epss
scoring_elements 0.85997
published_at 2026-06-05T12:55:00Z
1
value 0.02632
scoring_system epss
scoring_elements 0.85998
published_at 2026-06-09T12:55:00Z
2
value 0.02632
scoring_system epss
scoring_elements 0.85985
published_at 2026-06-08T12:55:00Z
3
value 0.02632
scoring_system epss
scoring_elements 0.85996
published_at 2026-06-07T12:55:00Z
4
value 0.02632
scoring_system epss
scoring_elements 0.86
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-34035
1
reference_url https://github.com/spring-projects/spring-security/commit/bb46a5427005e33e637b15948de8adae244ce547
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/spring-projects/spring-security/commit/bb46a5427005e33e637b15948de8adae244ce547
2
reference_url https://github.com/spring-projects/spring-security/commit/df239b6448ccf138b0c95b5575a88f33ac35cd9a
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/spring-projects/spring-security/commit/df239b6448ccf138b0c95b5575a88f33ac35cd9a
3
reference_url https://github.com/spring-projects/spring-security-samples/commit/4e3bec904a5467db28ea33e25ac9d90524b53d66
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/spring-projects/spring-security-samples/commit/4e3bec904a5467db28ea33e25ac9d90524b53d66
4
reference_url https://github.com/spring-projects/spring-security-samples/tree/main/servlet/java-configuration/authentication/preauth
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/spring-projects/spring-security-samples/tree/main/servlet/java-configuration/authentication/preauth
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-34035
reference_id CVE-2023-34035
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-34035
6
reference_url https://spring.io/security/cve-2023-34035
reference_id CVE-2023-34035
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-25T15:47:27Z/
url https://spring.io/security/cve-2023-34035
7
reference_url https://github.com/advisories/GHSA-4vpr-xfrp-cj64
reference_id GHSA-4vpr-xfrp-cj64
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-4vpr-xfrp-cj64
fixed_packages
0
url pkg:maven/org.springframework.security/spring-security-core@5.8.5
purl pkg:maven/org.springframework.security/spring-security-core@5.8.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1ccn-qeh9-vqgn
1
vulnerability VCID-p8md-ykt2-zyav
2
vulnerability VCID-tnva-qhzr-w3fe
3
vulnerability VCID-zwjj-ej27-sfes
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@5.8.5
1
url pkg:maven/org.springframework.security/spring-security-core@6.0.5
purl pkg:maven/org.springframework.security/spring-security-core@6.0.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1ccn-qeh9-vqgn
1
vulnerability VCID-p8md-ykt2-zyav
2
vulnerability VCID-zwjj-ej27-sfes
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@6.0.5
2
url pkg:maven/org.springframework.security/spring-security-core@6.1.2
purl pkg:maven/org.springframework.security/spring-security-core@6.1.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1ccn-qeh9-vqgn
1
vulnerability VCID-238s-fv2m-u3bp
2
vulnerability VCID-p8md-ykt2-zyav
3
vulnerability VCID-zwjj-ej27-sfes
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@6.1.2
aliases CVE-2023-34035, GHSA-4vpr-xfrp-cj64
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-bxsu-s2pg-8bbt
2
url VCID-gmgk-38nq-mkfb
vulnerability_id VCID-gmgk-38nq-mkfb
summary 
Improper Handling of Inconsistent Structural Elements
Using "**" as a pattern in Spring Security configuration 
for WebFlux creates a mismatch in pattern matching between Spring 
Security and Spring WebFlux, and the potential for a security bypass.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-34034.json
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-34034.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-34034
reference_id
reference_type
scores
0
value 0.4929
scoring_system epss
scoring_elements 0.97844
published_at 2026-06-09T12:55:00Z
1
value 0.4929
scoring_system epss
scoring_elements 0.97843
published_at 2026-06-05T12:55:00Z
2
value 0.4929
scoring_system epss
scoring_elements 0.97845
published_at 2026-06-08T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-34034
2
reference_url https://security.netapp.com/advisory/ntap-20230814-0008
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20230814-0008
3
reference_url https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-5777893
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-5777893
4
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2241271
reference_id 2241271
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2241271
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-34034
reference_id CVE-2023-34034
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-34034
6
reference_url https://ossindex.sonatype.org/vulnerability/CVE-2023-34034
reference_id CVE-2023-34034
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://ossindex.sonatype.org/vulnerability/CVE-2023-34034
7
reference_url https://spring.io/security/cve-2023-34034
reference_id CVE-2023-34034
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-10-28T14:34:24Z/
url https://spring.io/security/cve-2023-34034
8
reference_url https://github.com/advisories/GHSA-3h6f-g5f3-gc4w
reference_id GHSA-3h6f-g5f3-gc4w
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-3h6f-g5f3-gc4w
9
reference_url https://security.netapp.com/advisory/ntap-20230814-0008/
reference_id ntap-20230814-0008
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-10-28T14:34:24Z/
url https://security.netapp.com/advisory/ntap-20230814-0008/
10
reference_url https://access.redhat.com/errata/RHSA-2023:7247
reference_id RHSA-2023:7247
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:7247
fixed_packages
0
url pkg:maven/org.springframework.security/spring-security-core@5.8.5
purl pkg:maven/org.springframework.security/spring-security-core@5.8.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1ccn-qeh9-vqgn
1
vulnerability VCID-p8md-ykt2-zyav
2
vulnerability VCID-tnva-qhzr-w3fe
3
vulnerability VCID-zwjj-ej27-sfes
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@5.8.5
1
url pkg:maven/org.springframework.security/spring-security-core@6.0.5
purl pkg:maven/org.springframework.security/spring-security-core@6.0.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1ccn-qeh9-vqgn
1
vulnerability VCID-p8md-ykt2-zyav
2
vulnerability VCID-zwjj-ej27-sfes
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@6.0.5
2
url pkg:maven/org.springframework.security/spring-security-core@6.1.2
purl pkg:maven/org.springframework.security/spring-security-core@6.1.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1ccn-qeh9-vqgn
1
vulnerability VCID-238s-fv2m-u3bp
2
vulnerability VCID-p8md-ykt2-zyav
3
vulnerability VCID-zwjj-ej27-sfes
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@6.1.2
aliases CVE-2023-34034, GHSA-3h6f-g5f3-gc4w
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-gmgk-38nq-mkfb
3
url VCID-p8md-ykt2-zyav
vulnerability_id VCID-p8md-ykt2-zyav
summary 
Erroneous authentication pass in Spring Security
In Spring Security, versions 5.7.x prior to 5.7.12, 5.8.x prior to 5.8.11, versions 6.0.x prior to 6.0.9, versions 6.1.x prior to 6.1.8, versions 6.2.x prior to 6.2.3, an application is possible vulnerable to broken access control when it directly uses the AuthenticatedVoter#vote passing a null Authentication parameter.

Specifically, an application is vulnerable if:

The application uses AuthenticatedVoter directly and a null authentication parameter is passed to it resulting in an erroneous true return value.

An application is not vulnerable if any of the following is true:

* The application does not use AuthenticatedVoter#vote directly.
* The application does not pass null to AuthenticatedVoter#vote.

Note that AuthenticatedVoter is deprecated since 5.8, use implementations of AuthorizationManager as a replacement.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-22257.json
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-22257.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-22257
reference_id
reference_type
scores
0
value 0.00264
scoring_system epss
scoring_elements 0.50013
published_at 2026-06-05T12:55:00Z
1
value 0.00394
scoring_system epss
scoring_elements 0.6064
published_at 2026-06-09T12:55:00Z
2
value 0.00394
scoring_system epss
scoring_elements 0.60652
published_at 2026-06-06T12:55:00Z
3
value 0.00394
scoring_system epss
scoring_elements 0.60641
published_at 2026-06-07T12:55:00Z
4
value 0.00394
scoring_system epss
scoring_elements 0.60624
published_at 2026-06-08T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-22257
2
reference_url https://github.com/spring-projects/spring-security
reference_id
reference_type
scores
0
value 8.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/spring-projects/spring-security
3
reference_url https://github.com/spring-projects/spring-security/commit/5a7f12f1a9fdb4edaab6f61495f1d781a7273b61
reference_id
reference_type
scores
0
value 8.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/spring-projects/spring-security/commit/5a7f12f1a9fdb4edaab6f61495f1d781a7273b61
4
reference_url https://security.netapp.com/advisory/ntap-20240419-0005
reference_id
reference_type
scores
0
value 8.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20240419-0005
5
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2270158
reference_id 2270158
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2270158
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-22257
reference_id CVE-2024-22257
reference_type
scores
0
value 8.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-22257
7
reference_url https://spring.io/security/cve-2024-22257
reference_id CVE-2024-22257
reference_type
scores
0
value 8.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-11-12T15:22:14Z/
url https://spring.io/security/cve-2024-22257
8
reference_url https://github.com/advisories/GHSA-f3jh-qvm4-mg39
reference_id GHSA-f3jh-qvm4-mg39
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-f3jh-qvm4-mg39
9
reference_url https://security.netapp.com/advisory/ntap-20240419-0005/
reference_id ntap-20240419-0005
reference_type
scores
0
value 8.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-11-12T15:22:14Z/
url https://security.netapp.com/advisory/ntap-20240419-0005/
10
reference_url https://access.redhat.com/errata/RHSA-2024:3708
reference_id RHSA-2024:3708
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:3708
fixed_packages
0
url pkg:maven/org.springframework.security/spring-security-core@5.8.11
purl pkg:maven/org.springframework.security/spring-security-core@5.8.11
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1ccn-qeh9-vqgn
1
vulnerability VCID-tnva-qhzr-w3fe
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@5.8.11
1
url pkg:maven/org.springframework.security/spring-security-core@6.1.8
purl pkg:maven/org.springframework.security/spring-security-core@6.1.8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1ccn-qeh9-vqgn
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@6.1.8
2
url pkg:maven/org.springframework.security/spring-security-core@6.2.3
purl pkg:maven/org.springframework.security/spring-security-core@6.2.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1ccn-qeh9-vqgn
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@6.2.3
aliases CVE-2024-22257, GHSA-f3jh-qvm4-mg39
risk_score 4.4
exploitability 0.5
weighted_severity 8.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-p8md-ykt2-zyav
4
url VCID-tnva-qhzr-w3fe
vulnerability_id VCID-tnva-qhzr-w3fe
summary Spring Security: Spring Security: Timing attack defense bypass allows information disclosure
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-22746.json
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-22746.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-22746
reference_id
reference_type
scores
0
value 0.00067
scoring_system epss
scoring_elements 0.20723
published_at 2026-06-09T12:55:00Z
1
value 0.00067
scoring_system epss
scoring_elements 0.20839
published_at 2026-06-05T12:55:00Z
2
value 0.00067
scoring_system epss
scoring_elements 0.20825
published_at 2026-06-06T12:55:00Z
3
value 0.00067
scoring_system epss
scoring_elements 0.20781
published_at 2026-06-07T12:55:00Z
4
value 0.00067
scoring_system epss
scoring_elements 0.20718
published_at 2026-06-08T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-22746
2
reference_url https://github.com/spring-projects/spring-security
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/spring-projects/spring-security
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-22746
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-22746
4
reference_url https://spring.io/security/cve-2026-22746
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-22T13:36:35Z/
url https://spring.io/security/cve-2026-22746
5
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2460485
reference_id 2460485
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2460485
6
reference_url https://github.com/advisories/GHSA-vxf7-qj7q-83fh
reference_id GHSA-vxf7-qj7q-83fh
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-vxf7-qj7q-83fh
fixed_packages
0
url pkg:maven/org.springframework.security/spring-security-core@6.0.0
purl pkg:maven/org.springframework.security/spring-security-core@6.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1ccn-qeh9-vqgn
1
vulnerability VCID-bxsu-s2pg-8bbt
2
vulnerability VCID-gmgk-38nq-mkfb
3
vulnerability VCID-p8md-ykt2-zyav
4
vulnerability VCID-sa16-wq54-pubh
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@6.0.0
1
url pkg:maven/org.springframework.security/spring-security-core@6.5.10
purl pkg:maven/org.springframework.security/spring-security-core@6.5.10
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@6.5.10
2
url pkg:maven/org.springframework.security/spring-security-core@7.0.5
purl pkg:maven/org.springframework.security/spring-security-core@7.0.5
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@7.0.5
aliases CVE-2026-22746, GHSA-vxf7-qj7q-83fh
risk_score 1.6
exploitability 0.5
weighted_severity 3.3
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-tnva-qhzr-w3fe
5
url VCID-zwjj-ej27-sfes
vulnerability_id VCID-zwjj-ej27-sfes
summary 
The spring-security.xsd file inside the 
spring-security-config jar is world writable which means that if it were
 extracted it could be written by anyone with access to the file system.


While there are no known exploits, this is an example of “CWE-732: 
Incorrect Permission Assignment for Critical Resource” and could result 
in an exploit. Users should update to the latest version of Spring 
Security to mitigate any future exploits found around this issue.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-34042.json
reference_id
reference_type
scores
0
value 5.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-34042.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-34042
reference_id
reference_type
scores
0
value 0.00043
scoring_system epss
scoring_elements 0.13446
published_at 2026-06-09T12:55:00Z
1
value 0.00043
scoring_system epss
scoring_elements 0.13414
published_at 2026-06-08T12:55:00Z
2
value 0.00043
scoring_system epss
scoring_elements 0.135
published_at 2026-06-07T12:55:00Z
3
value 0.00043
scoring_system epss
scoring_elements 0.13541
published_at 2026-06-06T12:55:00Z
4
value 0.00043
scoring_system epss
scoring_elements 0.13535
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-34042
2
reference_url https://github.com/spring-projects/spring-security
reference_id
reference_type
scores
0
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/spring-projects/spring-security
3
reference_url https://github.com/spring-projects/spring-security/commit/5b293d21161e946bf241d9e974b9af93cfafaaac
reference_id
reference_type
scores
0
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/spring-projects/spring-security/commit/5b293d21161e946bf241d9e974b9af93cfafaaac
4
reference_url https://security.netapp.com/advisory/ntap-20241129-0010
reference_id
reference_type
scores
0
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20241129-0010
5
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2262911
reference_id 2262911
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2262911
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-34042
reference_id CVE-2023-34042
reference_type
scores
0
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-34042
7
reference_url https://spring.io/security/cve-2023-34042
reference_id CVE-2023-34042
reference_type
scores
0
value 4.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N
1
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-06T16:00:46Z/
url https://spring.io/security/cve-2023-34042
8
reference_url https://github.com/advisories/GHSA-9gp8-6cg8-7h34
reference_id GHSA-9gp8-6cg8-7h34
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-9gp8-6cg8-7h34
fixed_packages
0
url pkg:maven/org.springframework.security/spring-security-core@5.8.7
purl pkg:maven/org.springframework.security/spring-security-core@5.8.7
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1ccn-qeh9-vqgn
1
vulnerability VCID-p8md-ykt2-zyav
2
vulnerability VCID-tnva-qhzr-w3fe
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@5.8.7
1
url pkg:maven/org.springframework.security/spring-security-core@6.0.7
purl pkg:maven/org.springframework.security/spring-security-core@6.0.7
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1ccn-qeh9-vqgn
1
vulnerability VCID-p8md-ykt2-zyav
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@6.0.7
2
url pkg:maven/org.springframework.security/spring-security-core@6.1.4
purl pkg:maven/org.springframework.security/spring-security-core@6.1.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1ccn-qeh9-vqgn
1
vulnerability VCID-238s-fv2m-u3bp
2
vulnerability VCID-p8md-ykt2-zyav
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@6.1.4
aliases CVE-2023-34042, GHSA-9gp8-6cg8-7h34
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-zwjj-ej27-sfes
Fixing_vulnerabilities
Risk_score4.5
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.security/spring-security-core@5.8.4