org.springframework.security:spring-security-core@5.4.9 vulnerabilities

latest version

6.2.4
latest non vulnerable version

6.2.4
first published

16 years ago
latest version published

a month ago
licenses detected
- Apache-2.0
  [2.0.0,)
package manager

View on Maven Repository

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the org.springframework.security:spring-security-core package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
H Improper Access Control org.springframework.security:spring-security-core is a package that provides security services for the Spring IO Platform. Affected versions of this package are vulnerable to Improper Access Control when the application uses `AuthenticatedVoter` directly and a `null` authentication parameter is passed to it. Exploiting this vulnerability resulting in an erroneous `true` return value. Note Users are not affected if: The application does not use `AuthenticatedVoter#vote` directly. The application does not pass `null` to `AuthenticatedVoter#vote`. How to fix Improper Access Control? Upgrade `org.springframework.security:spring-security-core` to version 5.7.12, 5.8.11, 6.0.10, 6.1.8, 6.2.3 or higher.	[,5.7.12) [5.8.0,5.8.11) [6.0.0,6.0.10) [6.1.0,6.1.8) [6.2.0,6.2.3)
M Integer Overflow or Wraparound org.springframework.security:spring-security-core is a package that provides security services for the Spring IO Platform. Affected versions of this package are vulnerable to Integer Overflow or Wraparound when using the BCrypt class with the maximum work factor (31). In such a case, the encoder does not perform any salt rounds due to the overflow. Note: The default settings are not affected by this CVE. How to fix Integer Overflow or Wraparound? Upgrade `org.springframework.security:spring-security-core` to version 5.4.11 or higher.	[3.1.0.RELEASE,5.4.11)

Improper Access Control

org.springframework.security:spring-security-core is a package that provides security services for the Spring IO Platform.

Affected versions of this package are vulnerable to Improper Access Control when the application uses AuthenticatedVoter directly and a null authentication parameter is passed to it. Exploiting this vulnerability resulting in an erroneous true return value.

Note

Users are not affected if:

The application does not use AuthenticatedVoter#vote directly.
The application does not pass null to AuthenticatedVoter#vote.

How to fix Improper Access Control?

Upgrade org.springframework.security:spring-security-core to version 5.7.12, 5.8.11, 6.0.10, 6.1.8, 6.2.3 or higher.

[,5.7.12) [5.8.0,5.8.11) [6.0.0,6.0.10) [6.1.0,6.1.8) [6.2.0,6.2.3)

Integer Overflow or Wraparound

org.springframework.security:spring-security-core is a package that provides security services for the Spring IO Platform.

Affected versions of this package are vulnerable to Integer Overflow or Wraparound when using the BCrypt class with the maximum work factor (31). In such a case, the encoder does not perform any salt rounds due to the overflow.

Note:

The default settings are not affected by this CVE.

How to fix Integer Overflow or Wraparound?

Upgrade org.springframework.security:spring-security-core to version 5.4.11 or higher.

[3.1.0.RELEASE,5.4.11)

Go back to all versions of this package

org.springframework.security:spring-security-core@5.4.9 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities