org.springframework.security:spring-security-crypto 5.7.11

Direct Vulnerabilities

Known vulnerabilities in the org.springframework.security:spring-security-crypto package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
C Authentication Bypass by Primary Weakness org.springframework.security:spring-security-crypto is a spring-security-crypto library for Spring Security. Affected versions of this package are vulnerable to Authentication Bypass by Primary Weakness in the `BCryptPasswordEncoder.matches()` function, which only takes the first 72 characters for comparison. Passwords longer than this will incorrectly return true when compared against other strings sharing the same first 72 characters, making them easier to brute force. Note: Patches have also been issued for older versions of Enterprise Support packages. How to fix Authentication Bypass by Primary Weakness? Upgrade `org.springframework.security:spring-security-crypto` to version 6.3.8, 6.4.4 or higher.	[,6.3.8)[6.4.0,6.4.4)
M Authorization Bypass org.springframework.security:spring-security-crypto is a spring-security-crypto library for Spring Security. Affected versions of this package are vulnerable to Authorization Bypass due to the use of `String.toLowerCase()` and `String.toUpperCase()` that have `Locale` dependent exceptions, which results in authorization rules not working properly. How to fix Authorization Bypass? Upgrade `org.springframework.security:spring-security-crypto` to version 5.7.14, 5.8.16, 6.2.8, 6.3.5 or higher.	[,5.7.14)[5.8.0,5.8.16)[6.2.0,6.2.8)[6.3.0,6.3.5)

Vulnerability

Vulnerable Version

Authentication Bypass by Primary Weakness

org.springframework.security:spring-security-crypto is a spring-security-crypto library for Spring Security.

Affected versions of this package are vulnerable to Authentication Bypass by Primary Weakness in the BCryptPasswordEncoder.matches() function, which only takes the first 72 characters for comparison. Passwords longer than this will incorrectly return true when compared against other strings sharing the same first 72 characters, making them easier to brute force.

Note: Patches have also been issued for older versions of Enterprise Support packages.

How to fix Authentication Bypass by Primary Weakness?

Upgrade org.springframework.security:spring-security-crypto to version 6.3.8, 6.4.4 or higher.

[,6.3.8)[6.4.0,6.4.4)

Authorization Bypass

org.springframework.security:spring-security-crypto is a spring-security-crypto library for Spring Security.

Affected versions of this package are vulnerable to Authorization Bypass due to the use of String.toLowerCase() and String.toUpperCase() that have Locale dependent exceptions, which results in authorization rules not working properly.

How to fix Authorization Bypass?

Upgrade org.springframework.security:spring-security-crypto to version 5.7.14, 5.8.16, 6.2.8, 6.3.5 or higher.

[,5.7.14)[5.8.0,5.8.16)[6.2.0,6.2.8)[6.3.0,6.3.5)

org.springframework.security:spring-security-crypto@5.7.11

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

Fix vulnerabilities automatically