VulnerableCode Package Details - pkg:maven/org.springframework.security/spring-security-core@6.3.2

Search for packages

Vulnerability	Summary	Fixed by
VCID-2b4h-659w-77ak Aliases: CVE-2024-38827 GHSA-q3v6-hm2v-pw99	The usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in authorization rules not working properly.	6.3.5 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-j3pn-a1kb-tues Aliases: CVE-2026-22746 GHSA-vxf7-qj7q-83fh	Vulnerability in Spring Spring Security. If an application is using the UserDetails#isEnabled, #isAccountNonExpired, or #isAccountNonLocked user attributes, to enable, expire, or lock users, then DaoAuthenticationProvider's timing attack defense can be bypassed for users who are disabled, expired, or locked.This issue affects Spring Security: from 5.7.0 through 5.7.22, from 5.8.0 through 5.8.24, from 6.3.0 through 6.3.15, from 6.5.0 through 6.5.9, from 7.0.0 through 7.0.4.	6.5.10 Affected by 0 other vulnerabilities. 7.0.5 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-2b4h-659w-77ak
Aliases:
CVE-2024-38827
GHSA-q3v6-hm2v-pw99

The usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in authorization rules not working properly.

6.3.5
Affected by 1 other vulnerability.

VCID-j3pn-a1kb-tues
Aliases:
CVE-2026-22746
GHSA-vxf7-qj7q-83fh

Vulnerability in Spring Spring Security. If an application is using the UserDetails#isEnabled, #isAccountNonExpired, or #isAccountNonLocked user attributes, to enable, expire, or lock users, then DaoAuthenticationProvider's timing attack defense can be bypassed for users who are disabled, expired, or locked.This issue affects Spring Security: from 5.7.0 through 5.7.22, from 5.8.0 through 5.8.24, from 6.3.0 through 6.3.15, from 6.5.0 through 6.5.9, from 7.0.0 through 7.0.4.

6.5.10
Affected by 0 other vulnerabilities.

7.0.5
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-5a4d-tc2g-tkfp	Missing Authorization When Using @AuthorizeReturnObject in Spring Security 6.3.0 and 6.3.1 allows attacker to render security annotations inaffective.	CVE-2024-38810 GHSA-hmqf-wpq9-jq83

Vulnerability

Summary

Aliases

VCID-5a4d-tc2g-tkfp

Missing Authorization When Using @AuthorizeReturnObject in Spring Security 6.3.0 and 6.3.1 allows attacker to render security annotations inaffective.

CVE-2024-38810
GHSA-hmqf-wpq9-jq83

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-12T22:11:50.937692+00:00	GitLab Importer	Affected by	VCID-j3pn-a1kb-tues	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework.security/spring-security-core/CVE-2026-22746.yml	38.6.0
2026-06-12T19:47:36.011960+00:00	GitLab Importer	Affected by	VCID-2b4h-659w-77ak	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework.security/spring-security-core/CVE-2024-38827.yml	38.6.0
2026-06-12T19:37:32.859183+00:00	GitLab Importer	Fixing	VCID-5a4d-tc2g-tkfp	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework.security/spring-security-core/CVE-2024-38810.yml	38.6.0
2026-06-12T07:42:35.730628+00:00	GithubOSV Importer	Fixing	VCID-5a4d-tc2g-tkfp	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-hmqf-wpq9-jq83/GHSA-hmqf-wpq9-jq83.json	38.6.0
2026-06-11T20:35:50.290926+00:00	GHSA Importer	Fixing	VCID-5a4d-tc2g-tkfp	https://github.com/advisories/GHSA-hmqf-wpq9-jq83	38.6.0