Upgrade SLES:15.1 cluster-md-kmp-default to version 4.12.14-197.105.1 or higher.

org.springframework.security:spring-security-core 2.0.8.RELEASE vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.springframework.security:spring-security-core package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
M Authorization Bypass org.springframework.security:spring-security-core is a package that provides security services for the Spring IO Platform. Affected versions of this package are vulnerable to Authorization Bypass due to the use of `String.toLowerCase()` and `String.toUpperCase()` that have `Locale` dependent exceptions, which results in authorization rules not working properly. How to fix Authorization Bypass? Upgrade `org.springframework.security:spring-security-core` to version 5.7.14, 5.8.16, 6.2.8, 6.3.5 or higher.	[,5.7.14)[5.8.0,5.8.16)[6.2.0,6.2.8)[6.3.0,6.3.5)
H Improper Access Control org.springframework.security:spring-security-core is a package that provides security services for the Spring IO Platform. Affected versions of this package are vulnerable to Improper Access Control when the application uses `AuthenticatedVoter` directly and a `null` authentication parameter is passed to it. Exploiting this vulnerability resulting in an erroneous `true` return value. Note Users are not affected if: The application does not use `AuthenticatedVoter#vote` directly. The application does not pass `null` to `AuthenticatedVoter#vote`. How to fix Improper Access Control? Upgrade `org.springframework.security:spring-security-core` to version 5.7.12, 5.8.11, 6.0.10, 6.1.8, 6.2.3 or higher.	[,5.7.12)[5.8.0,5.8.11)[6.0.0,6.0.10)[6.1.0,6.1.8)[6.2.0,6.2.3)
M Privilege Escalation org.springframework.security:spring-security-core is a package that provides security services for the Spring IO Platform. Affected versions of this package are vulnerable to Privilege Escalation. It fails to save the `SecurityContext` if it has changed more than once in a single request. The `SecurityContext` can fail to save to the HttpSession if a developer changes the SecurityContext twice in a single request when both of the following conditions are met: First the developer must change the SecurityContext before the HttpResponse is committed and then the HttpResponse must be committed before the SecurityContextPersistenceFilter completes. Then the developer must attempt to change the SecurityContext again before the SecurityContextPersistenceFilter completes. A malicious user cannot cause the bug to happen (it must be programmed in). However, if the application's intent is to only allow the user to run with elevated privileges in a small portion of the application, the bug can be leveraged to extend those privileges to the rest of the application. How to fix Privilege Escalation? Upgrade `org.springframework.security:spring-security-core` to version 5.4.4, 5.3.8.RELEASE, 5.2.9.RELEASE or higher.	[5.4.0,5.4.4)[5.3.0.RELEASE,5.3.8.RELEASE)[,5.2.9.RELEASE)

Vulnerability

Vulnerable Version

Authorization Bypass

org.springframework.security:spring-security-core is a package that provides security services for the Spring IO Platform.

Affected versions of this package are vulnerable to Authorization Bypass due to the use of String.toLowerCase() and String.toUpperCase() that have Locale dependent exceptions, which results in authorization rules not working properly.

How to fix Authorization Bypass?

Upgrade org.springframework.security:spring-security-core to version 5.7.14, 5.8.16, 6.2.8, 6.3.5 or higher.

[,5.7.14)[5.8.0,5.8.16)[6.2.0,6.2.8)[6.3.0,6.3.5)

Improper Access Control

org.springframework.security:spring-security-core is a package that provides security services for the Spring IO Platform.

Affected versions of this package are vulnerable to Improper Access Control when the application uses AuthenticatedVoter directly and a null authentication parameter is passed to it. Exploiting this vulnerability resulting in an erroneous true return value.

Note

Users are not affected if:

The application does not use AuthenticatedVoter#vote directly.
The application does not pass null to AuthenticatedVoter#vote.

How to fix Improper Access Control?

Upgrade org.springframework.security:spring-security-core to version 5.7.12, 5.8.11, 6.0.10, 6.1.8, 6.2.3 or higher.

[,5.7.12)[5.8.0,5.8.11)[6.0.0,6.0.10)[6.1.0,6.1.8)[6.2.0,6.2.3)

Privilege Escalation

org.springframework.security:spring-security-core is a package that provides security services for the Spring IO Platform.

Affected versions of this package are vulnerable to Privilege Escalation. It fails to save the SecurityContext if it has changed more than once in a single request. The SecurityContext can fail to save to the HttpSession if a developer changes the SecurityContext twice in a single request when both of the following conditions are met: First the developer must change the SecurityContext before the HttpResponse is committed and then the HttpResponse must be committed before the SecurityContextPersistenceFilter completes. Then the developer must attempt to change the SecurityContext again before the SecurityContextPersistenceFilter completes. A malicious user cannot cause the bug to happen (it must be programmed in). However, if the application's intent is to only allow the user to run with elevated privileges in a small portion of the application, the bug can be leveraged to extend those privileges to the rest of the application.

How to fix Privilege Escalation?

Upgrade org.springframework.security:spring-security-core to version 5.4.4, 5.3.8.RELEASE, 5.2.9.RELEASE or higher.

[5.4.0,5.4.4)[5.3.0.RELEASE,5.3.8.RELEASE)[,5.2.9.RELEASE)

org.springframework.security:spring-security-core@2.0.8.RELEASE vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities

How to fix?