org.springframework.security:spring-security-core@5.3.6.RELEASE vulnerabilities

latest version

6.2.4
latest non vulnerable version

6.2.4
first published

16 years ago
latest version published

a month ago
licenses detected
- Apache-2.0
  [2.0.0,)
package manager

View on Maven Repository

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the org.springframework.security:spring-security-core package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
H Improper Access Control org.springframework.security:spring-security-core is a package that provides security services for the Spring IO Platform. Affected versions of this package are vulnerable to Improper Access Control when the application uses `AuthenticatedVoter` directly and a `null` authentication parameter is passed to it. Exploiting this vulnerability resulting in an erroneous `true` return value. Note Users are not affected if: The application does not use `AuthenticatedVoter#vote` directly. The application does not pass `null` to `AuthenticatedVoter#vote`. How to fix Improper Access Control? Upgrade `org.springframework.security:spring-security-core` to version 5.7.12, 5.8.11, 6.0.10, 6.1.8, 6.2.3 or higher.	[,5.7.12) [5.8.0,5.8.11) [6.0.0,6.0.10) [6.1.0,6.1.8) [6.2.0,6.2.3)
M Integer Overflow or Wraparound org.springframework.security:spring-security-core is a package that provides security services for the Spring IO Platform. Affected versions of this package are vulnerable to Integer Overflow or Wraparound when using the BCrypt class with the maximum work factor (31). In such a case, the encoder does not perform any salt rounds due to the overflow. Note: The default settings are not affected by this CVE. How to fix Integer Overflow or Wraparound? Upgrade `org.springframework.security:spring-security-core` to version 5.4.11 or higher.	[3.1.0.RELEASE,5.4.11)
M Privilege Escalation org.springframework.security:spring-security-core is a package that provides security services for the Spring IO Platform. Affected versions of this package are vulnerable to Privilege Escalation. It fails to save the `SecurityContext` if it has changed more than once in a single request. The `SecurityContext` can fail to save to the HttpSession if a developer changes the SecurityContext twice in a single request when both of the following conditions are met: First the developer must change the SecurityContext before the HttpResponse is committed and then the HttpResponse must be committed before the SecurityContextPersistenceFilter completes. Then the developer must attempt to change the SecurityContext again before the SecurityContextPersistenceFilter completes. A malicious user cannot cause the bug to happen (it must be programmed in). However, if the application's intent is to only allow the user to run with elevated privileges in a small portion of the application, the bug can be leveraged to extend those privileges to the rest of the application. How to fix Privilege Escalation? Upgrade `org.springframework.security:spring-security-core` to version 5.4.4, 5.3.8.RELEASE, 5.2.9.RELEASE or higher.	[5.4.0,5.4.4) [5.3.0.RELEASE,5.3.8.RELEASE) [,5.2.9.RELEASE)

Go back to all versions of this package

org.springframework.security:spring-security-core@5.3.6.RELEASE vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities