<p>Upgrade <code>org.springframework.security:spring-security-core</code> to version 5.4.11 or higher.</p>

Integer Overflow or Wraparound Affecting org.springframework.security:spring-security-core package, versions [3.1.0.RELEASE,5.4.11)

Threat Intelligence

Proof of concept

0.15% (52^nd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-5950401
published 18 May 2022
disclosed 18 May 2022
credit Eyal Kaspi

Report a new vulnerability Found a mistake?

Introduced: 18 May 2022

CVE-2022-22976 Open this link in a new tab CWE-190 Open this link in a new tab

How to fix?

Upgrade org.springframework.security:spring-security-core to version 5.4.11 or higher.

Overview

org.springframework.security:spring-security-core is a package that provides security services for the Spring IO Platform.

Affected versions of this package are vulnerable to Integer Overflow or Wraparound when using the BCrypt class with the maximum work factor (31). In such a case, the encoder does not perform any salt rounds due to the overflow.

Note:

The default settings are not affected by this CVE.

References

CVSS Scores

version 3.1

Attack Vector (AV)

Local
Attack Complexity (AC)

High
Privileges Required (PR)

High
User Interaction (UI)

None

Scope (S)

Changed

Confidentiality (C)

High
Integrity (I)

None
Availability (A)

None

Integer Overflow or Wraparound Affecting org.springframework.security:spring-security-core package, versions [3.1.0.RELEASE,5.4.11)

Severity

CVSS assessment made by Snyk's Security Team