VulnerableCode Package Details - pkg:maven/org.springframework.security/spring-security-core@5.2.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-2fan-h878-8faj Aliases: CVE-2020-5408 GHSA-2ppp-9496-p23q	Use of Insufficiently Random Values Spring Security uses a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has been encrypted using such an encryptor may be able to derive the unencrypted values using a dictionary attack.	5.2.4 Affected by 0 other vulnerabilities. 5.2.4.RELEASE Affected by 5 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 5.3.2 Affected by 0 other vulnerabilities. 5.3.2.RELEASE Affected by 5 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-mve7-dcsz-p7d7 Aliases: CVE-2020-5407 GHSA-48rw-j489-928m	Improper Verification of Cryptographic Signature When using the spring-security-saml2-service-provider component, a malicious user can carefully modify an otherwise valid SAML response and append an arbitrary assertion that Spring Security will accept as valid.	5.2.4 Affected by 0 other vulnerabilities. 5.2.4.RELEASE Affected by 5 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 5.3.2 Affected by 0 other vulnerabilities. 5.3.2.RELEASE Affected by 5 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-ux7y-j3kn-b7fg Aliases: CVE-2021-22119 GHSA-w9jg-gvgr-354m	Incorrect Authorization Spring Security versions 5.5.x prior to 5.5.1, 5.4.x prior to 5.4.7, 5.3.x prior to 5.3.10 and 5.2.x prior to 5.2.11 are susceptible to a Denial-of-Service (DoS) attack via the initiation of the Authorization Request in an OAuth 2.0 Client Web and WebFlux application. A malicious user or attacker can send multiple requests initiating the Authorization Request for the Authorization Code Grant, which has the potential of exhausting system resources using a single session or multiple sessions.	5.2.11 Affected by 0 other vulnerabilities. 5.2.11.RELEASE Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 5.3.10 Affected by 0 other vulnerabilities. 5.3.10.RELEASE Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 5.4.7 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 5.5.1 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-2fan-h878-8faj
Aliases:
CVE-2020-5408
GHSA-2ppp-9496-p23q

Use of Insufficiently Random Values Spring Security uses a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has been encrypted using such an encryptor may be able to derive the unencrypted values using a dictionary attack.

5.2.4
Affected by 0 other vulnerabilities.

5.2.4.RELEASE
Affected by 5 other vulnerabilities.

5.3.2
Affected by 0 other vulnerabilities.

5.3.2.RELEASE
Affected by 5 other vulnerabilities.

VCID-mve7-dcsz-p7d7
Aliases:
CVE-2020-5407
GHSA-48rw-j489-928m

Improper Verification of Cryptographic Signature When using the spring-security-saml2-service-provider component, a malicious user can carefully modify an otherwise valid SAML response and append an arbitrary assertion that Spring Security will accept as valid.

5.2.4
Affected by 0 other vulnerabilities.

5.2.4.RELEASE
Affected by 5 other vulnerabilities.

5.3.2
Affected by 0 other vulnerabilities.

5.3.2.RELEASE
Affected by 5 other vulnerabilities.

VCID-ux7y-j3kn-b7fg
Aliases:
CVE-2021-22119
GHSA-w9jg-gvgr-354m

Incorrect Authorization Spring Security versions 5.5.x prior to 5.5.1, 5.4.x prior to 5.4.7, 5.3.x prior to 5.3.10 and 5.2.x prior to 5.2.11 are susceptible to a Denial-of-Service (DoS) attack via the initiation of the Authorization Request in an OAuth 2.0 Client Web and WebFlux application. A malicious user or attacker can send multiple requests initiating the Authorization Request for the Authorization Code Grant, which has the potential of exhausting system resources using a single session or multiple sessions.

5.2.11
Affected by 0 other vulnerabilities.

5.2.11.RELEASE
Affected by 3 other vulnerabilities.

5.3.10
Affected by 0 other vulnerabilities.

5.3.10.RELEASE
Affected by 3 other vulnerabilities.

5.4.7
Affected by 3 other vulnerabilities.

5.5.1
Affected by 3 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-05T21:12:10.767870+00:00	GHSA Importer	Affected by	VCID-2fan-h878-8faj	https://github.com/advisories/GHSA-2ppp-9496-p23q	38.6.0
2026-06-05T21:12:03.508351+00:00	GHSA Importer	Affected by	VCID-mve7-dcsz-p7d7	https://github.com/advisories/GHSA-48rw-j489-928m	38.6.0
2026-06-04T16:21:34.726685+00:00	GitLab Importer	Affected by	VCID-ux7y-j3kn-b7fg	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework.security/spring-security-core/CVE-2021-22119.yml	38.6.0
2026-06-04T16:20:02.539650+00:00	GitLab Importer	Affected by	VCID-mve7-dcsz-p7d7	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework.security/spring-security-core/CVE-2020-5407.yml	38.6.0
2026-06-04T16:19:59.981397+00:00	GitLab Importer	Affected by	VCID-2fan-h878-8faj	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework.security/spring-security-core/CVE-2020-5408.yml	38.6.0