Homepage

org.springframework.security:spring-security-crypto@6.3.7 vulnerabilities

  • latest version

    6.4.4

  • latest non vulnerable version

    6.4.4

  • first published

    13 years ago

  • latest version published

    13 days ago

  • licenses detected

  • package registry

    View on Maven Central Repository
    • Go back to all versions of this package
    Report a new vulnerability Found a mistake?

    Direct Vulnerabilities

    Known vulnerabilities in the org.springframework.security:spring-security-crypto package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • C
    Authentication Bypass by Primary Weakness

    org.springframework.security:spring-security-crypto is a spring-security-crypto library for Spring Security.

    Affected versions of this package are vulnerable to Authentication Bypass by Primary Weakness in the BCryptPasswordEncoder.matches() function, which only takes the first 72 characters for comparison. Passwords longer than this will incorrectly return true when compared against other strings sharing the same first 72 characters, making them easier to brute force.

    Note: Patches have also been issued for older versions of Enterprise Support packages.

    How to fix Authentication Bypass by Primary Weakness?

    Upgrade org.springframework.security:spring-security-crypto to version 6.3.8, 6.4.4 or higher.

    [,6.3.8)[6.4.0,6.4.4)
    Go back to all versions of this package