org.springframework.security:spring-security-core@4.2.1.RELEASE vulnerabilities

org.springframework.security:spring-security-core is a package that provides security services for the Spring IO Platform.

Affected versions of this package are vulnerable to Improper Access Control when the application uses AuthenticatedVoter directly and a null authentication parameter is passed to it. Exploiting this vulnerability resulting in an erroneous true return value.

Note

Users are not affected if:

1. The application does not use AuthenticatedVoter#vote directly.

2. The application does not pass null to AuthenticatedVoter#vote.

Upgrade org.springframework.security:spring-security-core to version 5.7.12, 5.8.11, 6.0.10, 6.1.8, 6.2.3 or higher.

org.springframework.security:spring-security-core is a package that provides security services for the Spring IO Platform.

Affected versions of this package are vulnerable to Integer Overflow or Wraparound when using the BCrypt class with the maximum work factor (31). In such a case, the encoder does not perform any salt rounds due to the overflow.

Note:

The default settings are not affected by this CVE.

Upgrade org.springframework.security:spring-security-core to version 5.4.11 or higher.

org.springframework.security:spring-security-core is a package that provides security services for the Spring IO Platform.

Affected versions of this package are vulnerable to Privilege Escalation. It fails to save the SecurityContext if it has changed more than once in a single request. The SecurityContext can fail to save to the HttpSession if a developer changes the SecurityContext twice in a single request when both of the following conditions are met: First the developer must change the SecurityContext before the HttpResponse is committed and then the HttpResponse must be committed before the SecurityContextPersistenceFilter completes. Then the developer must attempt to change the SecurityContext again before the SecurityContextPersistenceFilter completes. A malicious user cannot cause the bug to happen (it must be programmed in). However, if the application's intent is to only allow the user to run with elevated privileges in a small portion of the application, the bug can be leveraged to extend those privileges to the rest of the application.

Upgrade org.springframework.security:spring-security-core to version 5.4.4, 5.3.8.RELEASE, 5.2.9.RELEASE or higher.

org.springframework.security:spring-security-core is a package that provides security services for the Spring IO Platform.

Affected versions of this package are vulnerable to Cryptographic Weakness. Spring Security was found to be a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has been encrypted using such an encryptor may be able to derive the unencrypted values using a dictionary attack.

Upgrade org.springframework.security:spring-security-core to version 5.3.2.RELEASE, 5.2.4.RELEASE, 5.1.10.RELEASE, 5.0.16.RELEASE, 4.2.16.RELEASE or higher.

org.springframework.security:spring-security-core is a package that provides security services for the Spring IO Platform.

Affected versions of this package are vulnerable to Improper Authentication. The affected versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of null.

Upgrade org.springframework.security:spring-security-core to version 4.2.13.RELEASE or higher.

org.springframework.security:spring-security-core is a package that provides security services for the Spring IO Platform.

Affected versions of this package are vulnerable to Insecure Randomness due to the usage of SecureRandomFactoryBean#setSeed function to configure a SecureRandom instance. In order for exploitation, an attacker will need to obtain the content generated from an application's seed value.

Upgrade org.springframework.security:spring-security-core to version 4.2.12.RELEASE, 5.0.12.RELEASE, 5.1.5.RELEASE or higher.

org.springframework.security:spring-security-core is a package that provides security services for the Spring IO Platform.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. spring-security-core configures Jackson with the global default typing enabled. Although Jackson blacklisted known deserialization gadgets, it is still possible for a malicious user to execute arbitrary code on the following conditions:

1. Spring Security’s Jackson support is being leveraged by invoking SecurityJackson2Modules.getModules(ClassLoader) or SecurityJackson2Modules.enableDefaultTyping(ObjectMapper)
2. Jackson is used to deserialize data that is not trusted. Spring Security does not perform deserialization using Jackson, so this is an explicit choice of the user.
3. There is an unknown (Jackson is not blacklisting it already) “deserialization gadget” that allows code execution present on the classpath

This is related to SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507.

Upgrade org.springframework.security:spring-security-core to version 4.2.3.RELEASE or higher.