org.springframework.vault:spring-vault-core 2.2.2.RELEASE vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.springframework.vault:spring-vault-core package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
M Insertion of Sensitive Information into Log File Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File when attempting to revoke a Vault batch token. Specifically, an application is vulnerable when all of the following are true: The authentication mechanism creates Batch tokens Usage of `LifecycleAwareSessionManager` in an imperative-only arrangement `LifecycleAwareSessionManager.destroy()` is called by the application or the application shutdown hook The logging level for `LifecycleAwareSessionManager` or `org.springframework.vault.authentication` is set at least to `WARN` or a more detailed logging level. The token revocation fails because either of: A vault error response that batch tokens cannot be revoked An I/O error occurs An application is not vulnerable if any of the following is true: The application uses `ReactiveSessionManager` in a mixed reactive/imperative or reactive-only arrangement `LifecycleAwareSessionManager.destroy()` is never called by the application or the application shutdown hook The logging level for `LifecycleAwareSessionManager` or `org.springframework.vault.authentication` is set to `ERROR` or higher, such as `OFF` The authentication mechanism creates Service tokens How to fix Insertion of Sensitive Information into Log File? Upgrade `org.springframework.vault:spring-vault-core` to version 2.3.3, 3.0.2 or higher.	[,2.3.3)[3.0.0,3.0.2)

Vulnerability

Vulnerable Version

Insertion of Sensitive Information into Log File

Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File when attempting to revoke a Vault batch token.

Specifically, an application is vulnerable when all of the following are true:

The authentication mechanism creates Batch tokens
Usage of LifecycleAwareSessionManager in an imperative-only arrangement
LifecycleAwareSessionManager.destroy() is called by the application or the application shutdown hook
The logging level for LifecycleAwareSessionManager or org.springframework.vault.authentication is set at least to WARN or a more detailed logging level.
The token revocation fails because either of:

A vault error response that batch tokens cannot be revoked
An I/O error occurs

An application is not vulnerable if any of the following is true:

The application uses ReactiveSessionManager in a mixed reactive/imperative or reactive-only arrangement
LifecycleAwareSessionManager.destroy() is never called by the application or the application shutdown hook
The logging level for LifecycleAwareSessionManager or org.springframework.vault.authentication is set to ERROR or higher, such as OFF
The authentication mechanism creates Service tokens

How to fix Insertion of Sensitive Information into Log File?

Upgrade org.springframework.vault:spring-vault-core to version 2.3.3, 3.0.2 or higher.

[,2.3.3)[3.0.0,3.0.2)

org.springframework.vault:spring-vault-core@2.2.2.RELEASE vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities

How to fix?