VulnerableCode Package Details - pkg:maven/org.springframework.security/spring-security-core@6.3.9

Search for packages

Vulnerability	Summary	Fixed by
VCID-j3pn-a1kb-tues Aliases: CVE-2026-22746 GHSA-vxf7-qj7q-83fh	Vulnerability in Spring Spring Security. If an application is using the UserDetails#isEnabled, #isAccountNonExpired, or #isAccountNonLocked user attributes, to enable, expire, or lock users, then DaoAuthenticationProvider's timing attack defense can be bypassed for users who are disabled, expired, or locked.This issue affects Spring Security: from 5.7.0 through 5.7.22, from 5.8.0 through 5.8.24, from 6.3.0 through 6.3.15, from 6.5.0 through 6.5.9, from 7.0.0 through 7.0.4.	6.5.10 Affected by 0 other vulnerabilities. 7.0.5 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-j3pn-a1kb-tues
Aliases:
CVE-2026-22746
GHSA-vxf7-qj7q-83fh

Vulnerability in Spring Spring Security. If an application is using the UserDetails#isEnabled, #isAccountNonExpired, or #isAccountNonLocked user attributes, to enable, expire, or lock users, then DaoAuthenticationProvider's timing attack defense can be bypassed for users who are disabled, expired, or locked.This issue affects Spring Security: from 5.7.0 through 5.7.22, from 5.8.0 through 5.8.24, from 6.3.0 through 6.3.15, from 6.5.0 through 6.5.9, from 7.0.0 through 7.0.4.

6.5.10
Affected by 0 other vulnerabilities.

7.0.5
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-y13c-xtc7-bqda	The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider. This can allow attackers to infer valid usernames or other authentication behavior via response-time differences under certain configurations.	CVE-2025-22234 GHSA-vqxh-445g-37fc

Vulnerability

Summary

Aliases

VCID-y13c-xtc7-bqda

The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider. This can allow attackers to infer valid usernames or other authentication behavior via response-time differences under certain configurations.

CVE-2025-22234
GHSA-vqxh-445g-37fc

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-12T22:11:50.969946+00:00	GitLab Importer	Affected by	VCID-j3pn-a1kb-tues	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework.security/spring-security-core/CVE-2026-22746.yml	38.6.0
2026-06-12T15:50:10.124907+00:00	GitLab Importer	Fixing	VCID-y13c-xtc7-bqda	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework.security/spring-security-core/CVE-2025-22234.yml	38.6.0
2026-06-12T07:47:04.759714+00:00	GithubOSV Importer	Fixing	VCID-y13c-xtc7-bqda	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-vqxh-445g-37fc/GHSA-vqxh-445g-37fc.json	38.6.0
2026-06-11T20:37:38.050235+00:00	GHSA Importer	Fixing	VCID-y13c-xtc7-bqda	https://github.com/advisories/GHSA-vqxh-445g-37fc	38.6.0