VulnerableCode Package Details - pkg:maven/org.springframework.security/spring-security-core@4.2.3.RELEASE

Staging Environment: Content and features may be unstable or change without notice.

Search for packages

Package details: pkg:maven/org.springframework.security/spring-security-core@4.2.3.RELEASE

Essentials
History (8)

purl	pkg:maven/org.springframework.security/spring-security-core@4.2.3.RELEASE

Next non-vulnerable version	4.2.4
Latest non-vulnerable version	7.0.5
Risk	4.0

Vulnerabilities affecting this package (5)

Vulnerability	Summary	Fixed by
VCID-2fan-h878-8faj Aliases: CVE-2020-5408 GHSA-2ppp-9496-p23q	Use of Insufficiently Random Values Spring Security uses a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has been encrypted using such an encryptor may be able to derive the unencrypted values using a dictionary attack.	4.2.16 Affected by 0 other vulnerabilities. 4.2.16.RELEASE Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 5.0.16 Affected by 0 other vulnerabilities. 5.0.16.RELEASE Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 5.1.10 Affected by 0 other vulnerabilities. 5.1.10.RELEASE Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 5.2.4 Affected by 0 other vulnerabilities. 5.2.4.RELEASE Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 5.3.2 Affected by 0 other vulnerabilities. 5.3.2.RELEASE Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-3jmf-5kbf-bbe2 Aliases: CVE-2019-11272 GHSA-v33x-prhc-gph5	PlaintextPasswordEncoder authenticates encoded passwords that are null Spring Security supports plain text passwords using `PlaintextPasswordEncoder`. a malicious user (or attacker) can authenticate using a password of `null`.	4.2.13 Affected by 0 other vulnerabilities. 4.2.13.RELEASE Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-3p1k-4ges-1fev Aliases: CVE-2019-3795 GHSA-v2r2-7qm7-jj6v	Insufficient Entropy in PRNG Spring Security contain an insecure randomness vulnerability when using `SecureRandomFactoryBean#setSeed` to configure a `SecureRandom` instance. In order to be impacted, an honest application must provide a seed and make the resulting random material available to an attacker for inspection.	4.2.12 Affected by 0 other vulnerabilities. 4.2.12.RELEASE Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 4.2.13.RELEASE Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 5.0.12 Affected by 0 other vulnerabilities. 5.0.12.RELEASE Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 5.0.13.RELEASE Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 5.1.5 Affected by 0 other vulnerabilities. 5.1.5.RELEASE Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 5.1.6.RELEASE Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-h4kj-zdr8-wbdr Aliases: CVE-2018-1199 GHSA-v596-fwhq-8x48	Improper Input Validation Spring Security does not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for `getPathInfo()` and some do not. Spring Security uses the value returned by `getPathInfo()` as part of the process of mapping requests to security constraints. In this particular attack, different character encodings used in path parameters allows secured Spring MVC static resource URLs to be bypassed.	4.2.4 Affected by 0 other vulnerabilities. 4.2.4.RELEASE Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 5.0.1 Affected by 0 other vulnerabilities. 5.0.1.RELEASE Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-vh4r-sk3t-eqe3 Aliases: CVE-2021-22112 GHSA-gq28-h5vg-8prx	privilege escalation	5.2.9 Affected by 0 other vulnerabilities. 5.2.9.RELEASE Affected by 0 other vulnerabilities. 5.3.9 Affected by 0 other vulnerabilities. 5.3.9.RELEASE Affected by 0 other vulnerabilities. 5.4.4 Affected by 0 other vulnerabilities.

Vulnerabilities fixed by this package (1)

Vulnerability	Summary	Aliases
VCID-efx3-b7vv-nfde	Deserialization of Untrusted Data When configured to enable default typing, Jackson contained a deserialization vulnerability that could lead to arbitrary code execution. which means that (through the previous exploit) arbitrary code could be executed if all of the following is true: (1) Spring Security's Jackson support is being leveraged by invoking `SecurityJackson2Modules.getModules(ClassLoader)` or `SecurityJackson2Modules.enableDefaultTyping(ObjectMapper);` (2) Jackson is used to deserialize data that is not trusted (Spring Security does not perform deserialization using Jackson, so this is an explicit choice of the user); and (3) there is an unknown (Jackson is not excluding it already) `deserialization gadget` that allows code execution present on the classpath. Jackson provides a exclusion approach to protecting against this type of attack, but Spring Security should be proactive against blocking unknown `deserialization gadgets` when Spring Security enables default typing.	CVE-2017-4995 GHSA-vhrg-v3cv-p247

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-04T20:45:17.771621+00:00	GitLab Importer	Affected by	VCID-vh4r-sk3t-eqe3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework.security/spring-security-core/CVE-2021-22112.yml	38.6.0
2026-06-04T20:30:25.470714+00:00	GitLab Importer	Affected by	VCID-2fan-h878-8faj	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework.security/spring-security-core/CVE-2020-5408.yml	38.6.0
2026-06-04T20:23:04.889541+00:00	GitLab Importer	Affected by	VCID-3jmf-5kbf-bbe2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework.security/spring-security-core/CVE-2019-11272.yml	38.6.0
2026-06-04T20:20:29.762425+00:00	GitLab Importer	Affected by	VCID-3p1k-4ges-1fev	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework.security/spring-security-core/CVE-2019-3795.yml	38.6.0
2026-06-04T18:24:30.626725+00:00	GHSA Importer	Affected by	VCID-3p1k-4ges-1fev	https://github.com/advisories/GHSA-v2r2-7qm7-jj6v	38.6.0
2026-06-04T18:23:32.401531+00:00	GHSA Importer	Affected by	VCID-h4kj-zdr8-wbdr	https://github.com/advisories/GHSA-v596-fwhq-8x48	38.6.0
2026-06-04T18:02:19.067930+00:00	GithubOSV Importer	Fixing	VCID-efx3-b7vv-nfde	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-vhrg-v3cv-p247/GHSA-vhrg-v3cv-p247.json	38.6.0
2026-06-02T04:37:35.977454+00:00	GitLab Importer	Affected by	VCID-h4kj-zdr8-wbdr	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework.security/spring-security-core/CVE-2018-1199.yml	38.6.0