org.springframework.security:spring-security-core 5.2.12.RELEASE vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.springframework.security:spring-security-core package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
M Authorization Bypass org.springframework.security:spring-security-core is a package that provides security services for the Spring IO Platform. Affected versions of this package are vulnerable to Authorization Bypass due to the use of `String.toLowerCase()` and `String.toUpperCase()` that have `Locale` dependent exceptions, which results in authorization rules not working properly. How to fix Authorization Bypass? Upgrade `org.springframework.security:spring-security-core` to version 5.7.14, 5.8.16, 6.2.8, 6.3.5 or higher.	[,5.7.14)[5.8.0,5.8.16)[6.2.0,6.2.8)[6.3.0,6.3.5)
H Improper Access Control org.springframework.security:spring-security-core is a package that provides security services for the Spring IO Platform. Affected versions of this package are vulnerable to Improper Access Control when the application uses `AuthenticatedVoter` directly and a `null` authentication parameter is passed to it. Exploiting this vulnerability resulting in an erroneous `true` return value. Note Users are not affected if: The application does not use `AuthenticatedVoter#vote` directly. The application does not pass `null` to `AuthenticatedVoter#vote`. How to fix Improper Access Control? Upgrade `org.springframework.security:spring-security-core` to version 5.7.12, 5.8.11, 6.0.10, 6.1.8, 6.2.3 or higher.	[,5.7.12)[5.8.0,5.8.11)[6.0.0,6.0.10)[6.1.0,6.1.8)[6.2.0,6.2.3)
M Integer Overflow or Wraparound org.springframework.security:spring-security-core is a package that provides security services for the Spring IO Platform. Affected versions of this package are vulnerable to Integer Overflow or Wraparound when using the BCrypt class with the maximum work factor (31). In such a case, the encoder does not perform any salt rounds due to the overflow. Note: The default settings are not affected by this CVE. How to fix Integer Overflow or Wraparound? Upgrade `org.springframework.security:spring-security-core` to version 5.4.11 or higher.	[3.1.0.RELEASE,5.4.11)

Vulnerability

Vulnerable Version

Authorization Bypass

org.springframework.security:spring-security-core is a package that provides security services for the Spring IO Platform.

Affected versions of this package are vulnerable to Authorization Bypass due to the use of String.toLowerCase() and String.toUpperCase() that have Locale dependent exceptions, which results in authorization rules not working properly.

How to fix Authorization Bypass?

Upgrade org.springframework.security:spring-security-core to version 5.7.14, 5.8.16, 6.2.8, 6.3.5 or higher.

[,5.7.14)[5.8.0,5.8.16)[6.2.0,6.2.8)[6.3.0,6.3.5)

Improper Access Control

org.springframework.security:spring-security-core is a package that provides security services for the Spring IO Platform.

Affected versions of this package are vulnerable to Improper Access Control when the application uses AuthenticatedVoter directly and a null authentication parameter is passed to it. Exploiting this vulnerability resulting in an erroneous true return value.

Note

Users are not affected if:

The application does not use AuthenticatedVoter#vote directly.
The application does not pass null to AuthenticatedVoter#vote.

How to fix Improper Access Control?

Upgrade org.springframework.security:spring-security-core to version 5.7.12, 5.8.11, 6.0.10, 6.1.8, 6.2.3 or higher.

[,5.7.12)[5.8.0,5.8.11)[6.0.0,6.0.10)[6.1.0,6.1.8)[6.2.0,6.2.3)

Integer Overflow or Wraparound

org.springframework.security:spring-security-core is a package that provides security services for the Spring IO Platform.

Affected versions of this package are vulnerable to Integer Overflow or Wraparound when using the BCrypt class with the maximum work factor (31). In such a case, the encoder does not perform any salt rounds due to the overflow.

Note:

The default settings are not affected by this CVE.

How to fix Integer Overflow or Wraparound?

Upgrade org.springframework.security:spring-security-core to version 5.4.11 or higher.

[3.1.0.RELEASE,5.4.11)

org.springframework.security:spring-security-core@5.2.12.RELEASE vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities

How to fix?