GHSA-VQXH-445G-37FC Spring Security has a broken timing attack mitigation implemented in DaoAuthenticationProvide

The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider. This can allow attackers to infer valid usernames or other authentication behavior via response-time differences under certain configurations...

Spring Security has a broken timing attack mitigation implemented in DaoAuthenticationProvide

The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider. This can allow attackers to infer valid usernames or other authentication behavior via response-time differences under certain configurations...

CVE-2025-22234 Spring Security - BCrypt Password Encoder maximum password length breaks timing attack mitigation

The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider. This can allow attackers to infer valid usernames or other authentication behavior via response-time differences under certain configurations...

CVE-2025-22234

CVE-2025-22234 is associated with Spring Security’s timing-attack mitigation in DaoAuthenticationProvider. The described issue states that the fix applied in CVE-2025-22228 accidentally broke the mitigation, enabling an attacker to infer usernames or authentication behavior via response-time diff...

Broken Authentication Third-Party Dependency in Bitbucket Data Center and Server - CVE-2025-22228

This High severity vulnerability known as CVE-2025-22228 was introduced in 8.19.0, 8.19.1, 8.19.2, 8.19.3, 8.19.4, 8.19.5, 8.19.6, 8.19.7, 8.19.8, 8.19.9, 8.19.10, 8.19.11, 9.4.0, 8.19.12, 8.19.13, 9.4.1, 9.4.2, 8.19.14, 9.4.3, 8.19.15, 8.19.16, 9.4.4, 8.19.17, 9.4.5, 8.19.18, 9.4.6 of Bitbucket...

Linux Distros Unpatched Vulnerability : CVE-2021-22228

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - An issue has been discovered in GitLab affecting all versions before 13.11.6, all versions starting from 13.12 before 13.12.6, and all versions starting from 14...

Atlassian Jira Service Management Data Center and Server 5.12.x < 5.12.24 / 10.3.x < 10.3.7 / 10.4.x < 10.7.1 (JSDSERVER-16310)

The version of Atlassian Jira Service Management Data Center and Server Jira Service Desk running on the remote host is affected by a vulnerability as referenced in the JSDSERVER-16310 advisory. - BCryptPasswordEncoder.matchesCharSequence,String will incorrectly return true for passwords larger...

RHEL 9 : Red Hat Product OCP Tools 4.17 OpenShift Jenkins (RHSA-2025:10097)

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2025:10097 advisory. Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by...

RHEL 8 : Red Hat Product OCP Tools 4.12 OpenShift Jenkins (RHSA-2025:10118)

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2025:10118 advisory. Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by...

RHEL 8 : Red Hat Product OCP Tools 4.13 OpenShift Jenkins (RHSA-2025:10119)

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2025:10119 advisory. Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by...

RHEL 9 : Red Hat Product OCP Tools 4.16 OpenShift Jenkins (RHSA-2025:10098)

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2025:10098 advisory. Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by...

Atlassian Confluence 7.13.x < 8.5.23 / 8.6.x < 9.2.5 / 9.3.x < 9.5.1 (CONFSERVER-99921)

The version of Atlassian Confluence Server running on the remote host is affected by a vulnerability as referenced in the CONFSERVER-99921 advisory. - BCryptPasswordEncoder.matchesCharSequence,String will incorrectly return true for passwords larger than 72 characters as long as the first 72...

com.almis.awe:awe-annotation (>=4.10.11 <=4.11.2), com.almis.awe:awe-annotations-spring-boot-starter (>=4.10.11 <=4.11.2) +152 more potentially affected by CVE-2025-22228 +1 more via org.springframework.security:spring-security-crypto (=6.3.8)

org.springframework.security:spring-security-crypto MAVEN version =6.3.8 is affected by a known vulnerability. The following packages have a transitive dependency on org.springframework.security:spring-security-crypto and may be impacted: - com.almis.awe:awe-annotation =4.10.11, =4.10.11, =4.10.1...

be.personify.iam:personify-frontend (>=1.5.4.RELEASE <=1.5.7.RELEASE), ch.admin.bit.jeap:jeap-archrepo-instance (>=1.12.0 <=1.14.0) +1654 more potentially affected by CVE-2025-22228 +1 more via org.springframework.security:spring-security-crypto (=6.4.4)

org.springframework.security:spring-security-crypto MAVEN version =6.4.4 is affected by a known vulnerability. The following packages have a transitive dependency on org.springframework.security:spring-security-crypto and may be impacted: - be.personify.iam:personify-frontend =1.5.4.RELEASE,...

Security Bulletin: IBM Maximo Application Suite Ai-Broker Component vulnerable to BCryptPasswordEncoder will incorrectly return true for passwords larger than 72 characters.

Summary Security Bulletin: IBM Maximo Application Suite Ai-Broker Component vulnerable to BCryptPasswordEncoder will incorrectly return true for passwords larger than 72 characters. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details...

Spring Security 5.7 < 5.7.16 / 5.8 < 5.8.18 / 6.0 < 6.0.16 / 6.1 < 6.1.14 / 6.2 < 6.2.10 / 6.3 < 6.3.8 / 6.4 < 6.4.4 Authentication Bypass (CVE-2025-22228)

The remote host contains a Spring Security version that is 5.7 prior to 5.7.16, 5.8 prior to 5.8.18, 6.0 prior to 6.0.16, 6.1 prior to 6.1.14, 6.2 prior to 6.2.10, or 6.3 prior to 6.3.8, 6.4 prior to 6.4.4. It may, therefore, be affected by an authentication bypass vulnerability...

CVE-2025-22228 vulnerabilities

Vulnerabilities for packages: keycloak-config-cli, thingsboard...

CVE-2025-22228 vulnerabilities

Vulnerabilities for packages: keycloak-config-cli, thingsboard, camunda-zeebe, jenkins...

app.valuationcontrol:library (>=0.5.8 <=0.5.9), at.aimon.ops:aimon-ops-api (>=0.0.1 <=0.0.2) +2784 more potentially affected by CVE-2025-22228 via org.springframework.security:spring-security-crypto (>=6.4.0 <=6.4.3)

org.springframework.security:spring-security-crypto MAVEN version =6.4.0, =0.5.8, =0.0.1, =0.0.1, =55.v51410e712e0c, =1.0.1, =1.0.2, =1.0.4, =1.0.2, =1.0.16, =1.0.2, =1.0.4, =2.3.0, =1.10.0, =1.10.0, =1.11.0 and more Source cves: CVE-2025-22228 Source advisory: OSV:GHSA-MG83-C7GQ-RV5C...

africa.absa:inception-api (>=1.0.0 <=1.2.0), africa.absa:inception-codes-api (>=1.0.0 <=1.2.0) +9767 more potentially affected by CVE-2025-22228 via org.springframework.security:spring-security-crypto (>=3.1.0.RELEASE <=5.7.14)

org.springframework.security:spring-security-crypto MAVEN version =3.1.0.RELEASE, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =4.4.0.2, =0.5.0, =0.5.24 and more Source cves: CVE-2025-22228 Source advisory: OSV:GHSA-MG83-C7GQ-RV5C...