org.springframework.security:spring-security-core@4.2.1.RELEASE vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.springframework.security:spring-security-core package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Improper Access Control

org.springframework.security:spring-security-core is a package that provides security services for the Spring IO Platform.

Affected versions of this package are vulnerable to Improper Access Control when the application uses AuthenticatedVoter directly and a null authentication parameter is passed to it. Exploiting this vulnerability resulting in an erroneous true return value.

Note

Users are not affected if:

  1. The application does not use AuthenticatedVoter#vote directly.

  2. The application does not pass null to AuthenticatedVoter#vote.

How to fix Improper Access Control?

Upgrade org.springframework.security:spring-security-core to version 5.7.12, 5.8.11, 6.0.10, 6.1.8, 6.2.3 or higher.

[,5.7.12) [5.8.0,5.8.11) [6.0.0,6.0.10) [6.1.0,6.1.8) [6.2.0,6.2.3)
  • M
Integer Overflow or Wraparound

org.springframework.security:spring-security-core is a package that provides security services for the Spring IO Platform.

Affected versions of this package are vulnerable to Integer Overflow or Wraparound when using the BCrypt class with the maximum work factor (31). In such a case, the encoder does not perform any salt rounds due to the overflow.

Note:

The default settings are not affected by this CVE.

How to fix Integer Overflow or Wraparound?

Upgrade org.springframework.security:spring-security-core to version 5.4.11 or higher.

[3.1.0.RELEASE,5.4.11)
  • M
Privilege Escalation

org.springframework.security:spring-security-core is a package that provides security services for the Spring IO Platform.

Affected versions of this package are vulnerable to Privilege Escalation. It fails to save the SecurityContext if it has changed more than once in a single request. The SecurityContext can fail to save to the HttpSession if a developer changes the SecurityContext twice in a single request when both of the following conditions are met: First the developer must change the SecurityContext before the HttpResponse is committed and then the HttpResponse must be committed before the SecurityContextPersistenceFilter completes. Then the developer must attempt to change the SecurityContext again before the SecurityContextPersistenceFilter completes. A malicious user cannot cause the bug to happen (it must be programmed in). However, if the application's intent is to only allow the user to run with elevated privileges in a small portion of the application, the bug can be leveraged to extend those privileges to the rest of the application.

How to fix Privilege Escalation?

Upgrade org.springframework.security:spring-security-core to version 5.4.4, 5.3.8.RELEASE, 5.2.9.RELEASE or higher.

[5.4.0,5.4.4) [5.3.0.RELEASE,5.3.8.RELEASE) [,5.2.9.RELEASE)
  • M
Cryptographic Weakness

org.springframework.security:spring-security-core is a package that provides security services for the Spring IO Platform.

Affected versions of this package are vulnerable to Cryptographic Weakness. Spring Security was found to be a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has been encrypted using such an encryptor may be able to derive the unencrypted values using a dictionary attack.

How to fix Cryptographic Weakness?

Upgrade org.springframework.security:spring-security-core to version 5.3.2.RELEASE, 5.2.4.RELEASE, 5.1.10.RELEASE, 5.0.16.RELEASE, 4.2.16.RELEASE or higher.

[5.3.0.RELEASE,5.3.2.RELEASE) [5.2.0.RELEASE,5.2.4.RELEASE) [5.1.0.RELEASE,5.1.10.RELEASE) [5.0.0.RELEASE,5.0.16.RELEASE) [4.2.0.RELEASE,4.2.16.RELEASE)
  • H
Improper Authentication

org.springframework.security:spring-security-core is a package that provides security services for the Spring IO Platform.

Affected versions of this package are vulnerable to Improper Authentication. The affected versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of null.

How to fix Improper Authentication?

Upgrade org.springframework.security:spring-security-core to version 4.2.13.RELEASE or higher.

[4.2.0.RELEASE,4.2.13.RELEASE)
  • L
Insecure Randomness

org.springframework.security:spring-security-core is a package that provides security services for the Spring IO Platform.

Affected versions of this package are vulnerable to Insecure Randomness due to the usage of SecureRandomFactoryBean#setSeed function to configure a SecureRandom instance. In order for exploitation, an attacker will need to obtain the content generated from an application's seed value.

How to fix Insecure Randomness?

Upgrade org.springframework.security:spring-security-core to version 4.2.12.RELEASE, 5.0.12.RELEASE, 5.1.5.RELEASE or higher.

[4.2.0.RELEASE,4.2.12.RELEASE) [5.0.0.RELEASE,5.0.12.RELEASE) [5.1.0.RELEASE,5.1.5.RELEASE)
  • H
Deserialization of Untrusted Data

org.springframework.security:spring-security-core is a package that provides security services for the Spring IO Platform.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. spring-security-core configures Jackson with the global default typing enabled. Although Jackson blacklisted known deserialization gadgets, it is still possible for a malicious user to execute arbitrary code on the following conditions:

  1. Spring Security’s Jackson support is being leveraged by invoking SecurityJackson2Modules.getModules(ClassLoader) or SecurityJackson2Modules.enableDefaultTyping(ObjectMapper)
  2. Jackson is used to deserialize data that is not trusted. Spring Security does not perform deserialization using Jackson, so this is an explicit choice of the user.
  3. There is an unknown (Jackson is not blacklisting it already) “deserialization gadget” that allows code execution present on the classpath

This is related to SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507.

How to fix Deserialization of Untrusted Data?

Upgrade org.springframework.security:spring-security-core to version 4.2.3.RELEASE or higher.

[4.2.0.RELEASE,4.2.3.RELEASE)