org.springframework.security:spring-security-core 2.0.0 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.springframework.security:spring-security-core package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
M Authorization Bypass org.springframework.security:spring-security-core is a package that provides security services for the Spring IO Platform. Affected versions of this package are vulnerable to Authorization Bypass due to the use of `String.toLowerCase()` and `String.toUpperCase()` that have `Locale` dependent exceptions, which results in authorization rules not working properly. How to fix Authorization Bypass? Upgrade `org.springframework.security:spring-security-core` to version 5.7.14, 5.8.16, 6.2.8, 6.3.5 or higher.	[,5.7.14)[5.8.0,5.8.16)[6.2.0,6.2.8)[6.3.0,6.3.5)
H Improper Access Control org.springframework.security:spring-security-core is a package that provides security services for the Spring IO Platform. Affected versions of this package are vulnerable to Improper Access Control when the application uses `AuthenticatedVoter` directly and a `null` authentication parameter is passed to it. Exploiting this vulnerability resulting in an erroneous `true` return value. Note Users are not affected if: The application does not use `AuthenticatedVoter#vote` directly. The application does not pass `null` to `AuthenticatedVoter#vote`. How to fix Improper Access Control? Upgrade `org.springframework.security:spring-security-core` to version 5.7.12, 5.8.11, 6.0.10, 6.1.8, 6.2.3 or higher.	[,5.7.12)[5.8.0,5.8.11)[6.0.0,6.0.10)[6.1.0,6.1.8)[6.2.0,6.2.3)
M Privilege Escalation org.springframework.security:spring-security-core is a package that provides security services for the Spring IO Platform. Affected versions of this package are vulnerable to Privilege Escalation. It fails to save the `SecurityContext` if it has changed more than once in a single request. The `SecurityContext` can fail to save to the HttpSession if a developer changes the SecurityContext twice in a single request when both of the following conditions are met: First the developer must change the SecurityContext before the HttpResponse is committed and then the HttpResponse must be committed before the SecurityContextPersistenceFilter completes. Then the developer must attempt to change the SecurityContext again before the SecurityContextPersistenceFilter completes. A malicious user cannot cause the bug to happen (it must be programmed in). However, if the application's intent is to only allow the user to run with elevated privileges in a small portion of the application, the bug can be leveraged to extend those privileges to the rest of the application. How to fix Privilege Escalation? Upgrade `org.springframework.security:spring-security-core` to version 5.4.4, 5.3.8.RELEASE, 5.2.9.RELEASE or higher.	[5.4.0,5.4.4)[5.3.0.RELEASE,5.3.8.RELEASE)[,5.2.9.RELEASE)
M Information Exposure org.springframework.security:spring-security-core is a package that provides security services for the Spring IO Platform. Affected versions of this package are vulnerable to Information Exposure. `DaoAuthenticationProvider` in VMware SpringSource Spring Security does not check the password if the user is not found, which makes the response delay shorter and might allow remote attackers to enumerate valid usernames via a series of login requests. How to fix Information Exposure? Upgrade `org.springframework.security:spring-security-core` to version 2.0.8.RELEASE, 3.0.8.RELEASE, 3.1.3.RELEASE or higher.	[,2.0.8.RELEASE)[3.0.0.RELEASE,3.0.8.RELEASE)[3.1.0.RELEASE,3.1.3.RELEASE)
M Access Restriction Bypass org.springframework.security:spring-security-core is a package that provides security services for the Spring IO Platform. Affected versions of this package are vulnerable to Access Restriction Bypass. Spring Security allows remote attackers to bypass security constraints via a path parameter. How to fix Access Restriction Bypass? Upgrade `org.springframework.security:spring-security-core` to version 2.0.6.RELEASE, 3.0.4.RELEASE or higher.	[2.0.0.RELEASE,2.0.6.RELEASE)[3.0.0..RELEASE,3.0.4.RELEASE)
M Improper Authentication `org.springframework.security:spring-security-core` Race condition in the RunAsManager mechanism in VMware SpringSource Spring Security before 2.0.7 and 3.0.x before 3.0.6 stores the Authentication object in the shared security context, which allows attackers to gain privileges via a crafted thread.	[,2.0.7.RELEASE)[3.0.0.RELEASE,3.0.6.RELEASE)
M Arbitrary Code Execution org.springframework.security:spring-security-core is a package that provides security services for the Spring IO Platform. Affected versions of this package are vulnerable to Arbitrary Code Execution. CRLF injection vulnerability in the logout functionality in VMware SpringSource Spring Security before 2.0.7 and 3.0.x before 3.0.6 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the spring-security-redirect parameter. How to fix Arbitrary Code Execution? Upgrade `org.springframework.security:spring-security-core` to version 2.0.7.RELEASE, 3.0.6.RELEASE or higher.	[2.0.0,2.0.7.RELEASE)[3.0.0.RELEASE,3.0.6.RELEASE)
M Access Restriction Bypass org.springframework.security:spring-security-core is a package that provides security services for the Spring IO Platform. Affected versions of this package are vulnerable to Access Restriction Bypass. Remote attackers can bypass intended security restrictions and execute untrusted code by (1) serializing a java.lang.Proxy instance and using InvocationHandler, or (2) accessing internal AOP interfaces, as demonstrated using deserialization of a DefaultListableBeanFactory instance to execute arbitrary commands via the java.lang.Runtime class. How to fix Access Restriction Bypass? Upgrade `org.springframework.security:spring-security-core` to version 2.0.7.RELEASE, 3.0.6.RELEASE or higher.	[2.0.0.RELEASE,2.0.7.RELEASE)[3.0.0.RELEASE,3.0.6.RELEASE)

Vulnerability

Vulnerable Version

Authorization Bypass

org.springframework.security:spring-security-core is a package that provides security services for the Spring IO Platform.

Affected versions of this package are vulnerable to Authorization Bypass due to the use of String.toLowerCase() and String.toUpperCase() that have Locale dependent exceptions, which results in authorization rules not working properly.

How to fix Authorization Bypass?

Upgrade org.springframework.security:spring-security-core to version 5.7.14, 5.8.16, 6.2.8, 6.3.5 or higher.

[,5.7.14)[5.8.0,5.8.16)[6.2.0,6.2.8)[6.3.0,6.3.5)

Improper Access Control

org.springframework.security:spring-security-core is a package that provides security services for the Spring IO Platform.

Affected versions of this package are vulnerable to Improper Access Control when the application uses AuthenticatedVoter directly and a null authentication parameter is passed to it. Exploiting this vulnerability resulting in an erroneous true return value.

Note

Users are not affected if:

The application does not use AuthenticatedVoter#vote directly.
The application does not pass null to AuthenticatedVoter#vote.

How to fix Improper Access Control?

Upgrade org.springframework.security:spring-security-core to version 5.7.12, 5.8.11, 6.0.10, 6.1.8, 6.2.3 or higher.

[,5.7.12)[5.8.0,5.8.11)[6.0.0,6.0.10)[6.1.0,6.1.8)[6.2.0,6.2.3)

Privilege Escalation

org.springframework.security:spring-security-core is a package that provides security services for the Spring IO Platform.

Affected versions of this package are vulnerable to Privilege Escalation. It fails to save the SecurityContext if it has changed more than once in a single request. The SecurityContext can fail to save to the HttpSession if a developer changes the SecurityContext twice in a single request when both of the following conditions are met: First the developer must change the SecurityContext before the HttpResponse is committed and then the HttpResponse must be committed before the SecurityContextPersistenceFilter completes. Then the developer must attempt to change the SecurityContext again before the SecurityContextPersistenceFilter completes. A malicious user cannot cause the bug to happen (it must be programmed in). However, if the application's intent is to only allow the user to run with elevated privileges in a small portion of the application, the bug can be leveraged to extend those privileges to the rest of the application.

How to fix Privilege Escalation?

Upgrade org.springframework.security:spring-security-core to version 5.4.4, 5.3.8.RELEASE, 5.2.9.RELEASE or higher.

[5.4.0,5.4.4)[5.3.0.RELEASE,5.3.8.RELEASE)[,5.2.9.RELEASE)

Information Exposure

org.springframework.security:spring-security-core is a package that provides security services for the Spring IO Platform.

Affected versions of this package are vulnerable to Information Exposure. DaoAuthenticationProvider in VMware SpringSource Spring Security does not check the password if the user is not found, which makes the response delay shorter and might allow remote attackers to enumerate valid usernames via a series of login requests.

How to fix Information Exposure?

Upgrade org.springframework.security:spring-security-core to version 2.0.8.RELEASE, 3.0.8.RELEASE, 3.1.3.RELEASE or higher.

[,2.0.8.RELEASE)[3.0.0.RELEASE,3.0.8.RELEASE)[3.1.0.RELEASE,3.1.3.RELEASE)

Access Restriction Bypass

org.springframework.security:spring-security-core is a package that provides security services for the Spring IO Platform.

Affected versions of this package are vulnerable to Access Restriction Bypass. Spring Security allows remote attackers to bypass security constraints via a path parameter.

How to fix Access Restriction Bypass?

Upgrade org.springframework.security:spring-security-core to version 2.0.6.RELEASE, 3.0.4.RELEASE or higher.

[2.0.0.RELEASE,2.0.6.RELEASE)[3.0.0..RELEASE,3.0.4.RELEASE)

Improper Authentication

org.springframework.security:spring-security-core Race condition in the RunAsManager mechanism in VMware SpringSource Spring Security before 2.0.7 and 3.0.x before 3.0.6 stores the Authentication object in the shared security context, which allows attackers to gain privileges via a crafted thread.

[,2.0.7.RELEASE)[3.0.0.RELEASE,3.0.6.RELEASE)

Arbitrary Code Execution

org.springframework.security:spring-security-core is a package that provides security services for the Spring IO Platform.

Affected versions of this package are vulnerable to Arbitrary Code Execution. CRLF injection vulnerability in the logout functionality in VMware SpringSource Spring Security before 2.0.7 and 3.0.x before 3.0.6 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the spring-security-redirect parameter.

How to fix Arbitrary Code Execution?

Upgrade org.springframework.security:spring-security-core to version 2.0.7.RELEASE, 3.0.6.RELEASE or higher.

[2.0.0,2.0.7.RELEASE)[3.0.0.RELEASE,3.0.6.RELEASE)

Access Restriction Bypass

org.springframework.security:spring-security-core is a package that provides security services for the Spring IO Platform.

Affected versions of this package are vulnerable to Access Restriction Bypass. Remote attackers can bypass intended security restrictions and execute untrusted code by (1) serializing a java.lang.Proxy instance and using InvocationHandler, or (2) accessing internal AOP interfaces, as demonstrated using deserialization of a DefaultListableBeanFactory instance to execute arbitrary commands via the java.lang.Runtime class.

How to fix Access Restriction Bypass?

Upgrade org.springframework.security:spring-security-core to version 2.0.7.RELEASE, 3.0.6.RELEASE or higher.

[2.0.0.RELEASE,2.0.7.RELEASE)[3.0.0.RELEASE,3.0.6.RELEASE)

org.springframework.security:spring-security-core@2.0.0 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities

How to fix?