1189 matches found
CVE-2019-3795
CVE-2019-3795 affects Spring Security: insecure randomness when SecureRandomFactoryBean#setSeed is used to configure a SecureRandom. Impact requires the application to supply a seed and expose the resulting random material to an attacker. Affected releases include Spring Security 4.2.x before 4.2...
CVE-2019-3795 Insecure Randomness When Using a SecureRandom Instance Constructed by Spring Security
Spring Security versions 4.2.x prior to 4.2.12, 5.0.x prior to 5.0.12, and 5.1.x prior to 5.1.5 contain an insecure randomness vulnerability when using SecureRandomFactoryBeansetSeed to configure a SecureRandom instance. In order to be impacted, an honest application must provide a seed and make...
Insecure Randomness
spring-security-core is vulnerable to insecure randomness. The vulnerability exists because it does not use a secure way of generating randomness in SecureRandomFactoryBeansetSeed to configure a SecureRandom instance...
CVE-2019-3778
Spring Security OAuth, versions 2.3 prior to 2.3.5, and 2.2 prior to 2.2.4, and 2.1 prior to 2.1.4, and 2.0 prior to 2.0.17, and older unsupported versions could be susceptible to an open redirector attack that can leak an authorization code. A malicious user or attacker can craft a request to th...
br.com.anteros:Anteros-Security-Spring (>=2.0.0 <=2.0.20), br.com.anteros:Anteros-Security-Spring-Mongo (>=1.0.0 <=1.0.5) +284 more potentially affected by CVE-2019-3778 via org.springframework.security.oauth:spring-security-oauth2 (>=2.3.0.RELEASE <=2.3.4.RELEASE)
org.springframework.security.oauth:spring-security-oauth2 MAVEN version =2.3.0.RELEASE, =2.0.0, =1.0.0, =1.0.0, =1.0.6, =1.0.6, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.3 and more Source cves: CVE-2019-3778 Source advisory: OSV:GHSA-77RV-6VFW-X4GC...
com.alexbt:springboot-autoconfigure-openid-oauth (=1.0.9), com.appdirect:service-integration-sdk (>=1.24 <=v11.129.7) +10 more potentially affected by CVE-2019-3778 via org.springframework.security.oauth:spring-security-oauth (>=2.0.10.RELEASE <=2.0.14.RELEASE)
org.springframework.security.oauth:spring-security-oauth MAVEN version =2.0.10.RELEASE, =1.24, =2.7.4.7, =2.7.4.7, =2.7.4.7, =3.3.0.4, =3.3.0.4, =2.7.4.7, =4.4.0 Source cves: CVE-2019-3778 Source advisory: OSV:GHSA-77RV-6VFW-X4GC...
am.ik.home:uaa-client (>=1.0.0 <=1.9.0), am.ik.home:uaa-integration-test (>=1.0.0 <=1.9.0) +537 more potentially affected by CVE-2019-3778 via org.springframework.security.oauth:spring-security-oauth2 (>=1.0.0.RELEASE <=2.0.16.RELEASE)
org.springframework.security.oauth:spring-security-oauth2 MAVEN version =1.0.0.RELEASE, =1.0.0, =1.0.0, =1.0.0, =0.1.0, =1.0.0, =A.1.1.0, =A.1.1.0, =A.1.1.0, =A.1.1.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.1.11 - com.17jee:e-security-token =3.0.1.11 and more Source cves: CVE-2019-3778 Source...
au.org.consumerdatastandards:client-cli (>=1.1.1 <=2.4.1), fm.pattern:tokamak-authorization (=1.0.1) +17 more potentially affected by CVE-2019-3778 via org.springframework.security.oauth:spring-security-oauth2 (>=2.1.0.RELEASE <=2.1.1.RELEASE)
org.springframework.security.oauth:spring-security-oauth2 MAVEN version =2.1.0.RELEASE, =1.1.1, =1.2.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.9.0, =1.9.0, =1.3.0, =1.3.0, =1.3.4 and more Source cves: CVE-2019-3778 Source advisory: OSV:GHSA-77RV-6VFW-X4GChttps://vulners.c...
br.com.anteros:Anteros-Keycloak (=1.0.0), cloud.altemista.fwk.framework:cloud-altemistafwk-documentation (=3.1.0.RELEASE) +69 more potentially affected by CVE-2019-3778 via org.springframework.security.oauth:spring-security-oauth2 (>=2.2.0.RELEASE <=2.2.3.RELEASE)
org.springframework.security.oauth:spring-security-oauth2 MAVEN version =2.2.0.RELEASE, =3.0.0.RELEASE, =3.0.0.RELEASE, =3.0.0.RELEASE, =3.0.0.RELEASE, =3.0.0.RELEASE, =3.0.0.RELEASE, =3.0.0.RELEASE, =1.0.0, =1.0.0, =3.3.2, =4.0.1 - com.ge.research.semtk:springSecurityLibrary =2.2.2 -...
CVE-2019-3778
The CVE-2019-3778 entry concerns an open redirect vulnerability in Spring Security OAuth where an attacker can abuse the redirect_uri parameter at the authorization endpoint to redirect a user-agent to an attacker-controlled URI, leaking the authorization code. Affected are older Spring Security ...
CVE-2019-3778 Open Redirect in spring-security-oauth2
Spring Security OAuth, versions 2.3 prior to 2.3.5, and 2.2 prior to 2.2.4, and 2.1 prior to 2.1.4, and 2.0 prior to 2.0.17, and older unsupported versions could be susceptible to an open redirector attack that can leak an authorization code. A malicious user or attacker can craft a request to th...
CVE-2019-3778
Spring Security OAuth, versions 2.3 prior to 2.3.5, and 2.2 prior to 2.2.4, and 2.1 prior to 2.1.4, and 2.0 prior to 2.0.17, and older unsupported versions could be susceptible to an open redirector attack that can leak an authorization code. A malicious user or attacker can craft a request to th...
Authorization
Spring Security OAuth, versions 2.3 prior to 2.3.5, and 2.2 prior to 2.2.4, and 2.1 prior to 2.1.4, and 2.0 prior to 2.0.17, and older unsupported versions could be susceptible to an open redirector attack that can leak an authorization code. A malicious user or attacker can craft a request to th...
CVE-2019-3778
Spring Security OAuth, versions 2.3 prior to 2.3.5, and 2.2 prior to 2.2.4, and 2.1 prior to 2.1.4, and 2.0 prior to 2.0.17, and older unsupported versions could be susceptible to an open redirector attack that can leak an authorization code. A malicious user or attacker can craft a request to th...
Open Redirection
spring-security-oauth2 is vulnerable to open redirection. A lack of validation on the redirecturi parameter allows an attacker to manipulate the redirect URI by sending a malicious request to the authorization endpoint using the authorization code grant type and cause the authorization server to...
ai.foremast.metrics:foremast-spring-boot-k8s-metrics-starter (>=0.1.2 <=0.1.6), cn.aghost:nacos-address (>=1.2.1.aghost-fix.20201109 <=1.2.1.aghost-fix.20210122) +408 more potentially affected by CVE-2018-15801 via org.springframework.security:spring-security-core (>=5.1.0.RELEASE <=5.1.1.RELEASE)
org.springframework.security:spring-security-core MAVEN version =5.1.0.RELEASE, =0.1.2, =1.2.1.aghost-fix.20201109, =1.2.1.aghost-fix.20201109, =1.2.1.aghost-fix.20201109, =1.2.1.aghost-fix.20201109, =1.2.1.aghost-fix.20201109, =1.2.1.aghost-fix.20201109, =1.2.1.aghost-fix.20201109,...
GHSA-27XW-P8V6-9JJR Spring Security vulnerable to Authorization Bypass
Spring Security versions 5.1.x prior to 5.1.2 contain an authorization bypass vulnerability during JWT issuer validation. In order to be impacted, the same private key for an honest issuer and a malicious user must be used when signing JWTs. In that case, a malicious user could fashion signed JWT...
Spring Security vulnerable to Authorization Bypass
Spring Security versions 5.1.x prior to 5.1.2 contain an authorization bypass vulnerability during JWT issuer validation. In order to be impacted, the same private key for an honest issuer and a malicious user must be used when signing JWTs. In that case, a malicious user could fashion signed JWT...
Authorization
Spring Security versions 5.1.x prior to 5.1.2 contain an authorization bypass vulnerability during JWT issuer validation. In order to be impacted, the same private key for an honest issuer and a malicious user must be used when signing JWTs. In that case, a malicious user could fashion signed JWT...
CVE-2018-15801
Spring Security versions 5.1.x prior to 5.1.2 contain an authorization bypass vulnerability during JWT issuer validation. In order to be impacted, the same private key for an honest issuer and a malicious user must be used when signing JWTs. In that case, a malicious user could fashion signed JWT...