Search for packages
| purl | pkg:maven/org.springframework.security/spring-security-core@4.2.12.RELEASE |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-cden-3spy-pyhz
Aliases: CVE-2022-22976 GHSA-wx54-3278-m5g4 |
Integer overflow in BCrypt class in Spring Security Spring Security versions 5.5.x prior to 5.5.7, 5.6.x prior to 5.6.4, and earlier unsupported versions contain an integer overflow vulnerability. When using the BCrypt class with the maximum work factor (31), the encoder does not perform any salt rounds, due to an integer overflow error. The default settings are not affected by this CVE. |
Affected by 2 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-dwcq-d6nf-1ubn
Aliases: CVE-2024-22257 GHSA-f3jh-qvm4-mg39 |
Erroneous authentication pass in Spring Security In Spring Security, versions 5.7.x prior to 5.7.12, 5.8.x prior to 5.8.11, versions 6.0.x prior to 6.0.9, versions 6.1.x prior to 6.1.8, versions 6.2.x prior to 6.2.3, an application is possible vulnerable to broken access control when it directly uses the AuthenticatedVoter#vote passing a null Authentication parameter. Specifically, an application is vulnerable if: The application uses AuthenticatedVoter directly and a null authentication parameter is passed to it resulting in an erroneous true return value. An application is not vulnerable if any of the following is true: * The application does not use AuthenticatedVoter#vote directly. * The application does not pass null to AuthenticatedVoter#vote. Note that AuthenticatedVoter is deprecated since 5.8, use implementations of AuthorizationManager as a replacement. |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-hedq-eav6-4fee
Aliases: CVE-2020-5408 GHSA-2ppp-9496-p23q |
Insufficient Entropy in Spring Security Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has been encrypted using such an encryptor may be able to derive the unencrypted values using a dictionary attack. |
Affected by 0 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 5 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 5 other vulnerabilities. |
|
VCID-pz7c-p4ze-kfhc
Aliases: CVE-2019-11272 GHSA-v33x-prhc-gph5 |
PlaintextPasswordEncoder authenticates encoded passwords that are null Spring Security supports plain text passwords using `PlaintextPasswordEncoder`. a malicious user (or attacker) can authenticate using a password of `null`. |
Affected by 0 other vulnerabilities. Affected by 5 other vulnerabilities. |
|
VCID-u6vb-w2bu-ykfk
Aliases: CVE-2024-38827 GHSA-q3v6-hm2v-pw99 |
Spring Framework has Authorization Bypass for Case Sensitive Comparisons The usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in authorization rules not working properly. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-yeaf-ta2h-p7c1
Aliases: CVE-2021-22112 GHSA-gq28-h5vg-8prx |
Privilege escalation in spring security Spring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE, and older unsupported versions can fail to save the SecurityContext if it is changed more than once in a single request.A malicious user cannot cause the bug to happen (it must be programmed in). However, if the application's intent is to only allow the user to run with elevated privileges in a small portion of the application, the bug can be leveraged to extend those privileges to the rest of the application. |
Affected by 0 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 1 other vulnerability. Affected by 4 other vulnerabilities. Affected by 4 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-f3g5-hamr-6yar | Insufficient Entropy in PRNG Spring Security contain an insecure randomness vulnerability when using `SecureRandomFactoryBean#setSeed` to configure a `SecureRandom` instance. In order to be impacted, an honest application must provide a seed and make the resulting random material available to an attacker for inspection. |
CVE-2019-3795
GHSA-v2r2-7qm7-jj6v |