Search for packages
| purl | pkg:maven/org.springframework.security/spring-security-core@5.0.6.RELEASE |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1ccn-qeh9-vqgn
Aliases: CVE-2024-38827 GHSA-q3v6-hm2v-pw99 |
This advisory has been marked as False-Positive and removed The usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in authorization rules not working properly. |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 1 other vulnerability. |
|
VCID-2fan-h878-8faj
Aliases: CVE-2020-5408 GHSA-2ppp-9496-p23q |
Use of Insufficiently Random Values Spring Security uses a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has been encrypted using such an encryptor may be able to derive the unencrypted values using a dictionary attack. |
Affected by 0 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 5 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 5 other vulnerabilities. |
|
VCID-3p1k-4ges-1fev
Aliases: CVE-2019-3795 GHSA-v2r2-7qm7-jj6v |
Insufficient Entropy in PRNG Spring Security contain an insecure randomness vulnerability when using `SecureRandomFactoryBean#setSeed` to configure a `SecureRandom` instance. In order to be impacted, an honest application must provide a seed and make the resulting random material available to an attacker for inspection. |
Affected by 0 other vulnerabilities. Affected by 5 other vulnerabilities. Affected by 5 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 5 other vulnerabilities. Affected by 5 other vulnerabilities. |
|
VCID-p8md-ykt2-zyav
Aliases: CVE-2024-22257 GHSA-f3jh-qvm4-mg39 |
Erroneous authentication pass in Spring Security In Spring Security, versions 5.7.x prior to 5.7.12, 5.8.x prior to 5.8.11, versions 6.0.x prior to 6.0.9, versions 6.1.x prior to 6.1.8, versions 6.2.x prior to 6.2.3, an application is possible vulnerable to broken access control when it directly uses the AuthenticatedVoter#vote passing a null Authentication parameter. Specifically, an application is vulnerable if: The application uses AuthenticatedVoter directly and a null authentication parameter is passed to it resulting in an erroneous true return value. An application is not vulnerable if any of the following is true: * The application does not use AuthenticatedVoter#vote directly. * The application does not pass null to AuthenticatedVoter#vote. Note that AuthenticatedVoter is deprecated since 5.8, use implementations of AuthorizationManager as a replacement. |
Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-szph-1zgk-a7dt
Aliases: CVE-2022-22976 GHSA-wx54-3278-m5g4 |
springframework: BCrypt skips salt rounds for work factor of 31 |
Affected by 2 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-vh4r-sk3t-eqe3
Aliases: CVE-2021-22112 GHSA-gq28-h5vg-8prx |
privilege escalation |
Affected by 0 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 4 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-jasw-zntp-nkdd | Incorrect Authorization Spring Framework when used in combination with Spring Security contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted. |
CVE-2018-1258
GHSA-cxrj-66c5-9fmh |