1189 matches found
Race condition
Race condition in the RunAsManager mechanism in VMware SpringSource Spring Security before 2.0.7 and 3.0.x before 3.0.6 stores the Authentication object in the shared security context, which allows attackers to gain privileges via a crafted thread...
CVE-2011-2732
CRLF injection vulnerability in the logout functionality in VMware SpringSource Spring Security before 2.0.7 and 3.0.x before 3.0.6 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the spring-security-redirect parameter...
CVE-2011-2731
Race condition in the RunAsManager mechanism in VMware SpringSource Spring Security before 2.0.7 and 3.0.x before 3.0.6 stores the Authentication object in the shared security context, which allows attackers to gain privileges via a crafted thread...
CVE-2012-5055
DaoAuthenticationProvider in VMware SpringSource Spring Security before 2.0.8, 3.0.x before 3.0.8, and 3.1.x before 3.1.3 does not check the password if the user is not found, which makes the response delay shorter and might allow remote attackers to enumerate valid usernames via a series of logi...
Crlf injection
CRLF injection vulnerability in the logout functionality in VMware SpringSource Spring Security before 2.0.7 and 3.0.x before 3.0.6 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the spring-security-redirect parameter...
CVE-2012-5055
DaoAuthenticationProvider in VMware SpringSource Spring Security before 2.0.8, 3.0.x before 3.0.8, and 3.1.x before 3.1.3 does not check the password if the user is not found, which makes the response delay shorter and might allow remote attackers to enumerate valid usernames via a series of logi...
CVE-2012-5055
CVE-2012-5055 affects VMware SpringSource Spring Security: DaoAuthenticationProvider does not compare the password when the username is not found, causing a shorter response delay that could enable remote attackers to enumerate valid usernames via login requests. Affected versions include Spring ...
CVE-2011-2732
CRLF injection vulnerability in the logout functionality in VMware SpringSource Spring Security before 2.0.7 and 3.0.x before 3.0.6 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the spring-security-redirect parameter...
CVE-2011-2731
Race condition in the RunAsManager mechanism in VMware SpringSource Spring Security before 2.0.7 and 3.0.x before 3.0.6 stores the Authentication object in the shared security context, which allows attackers to gain privileges via a crafted thread...
CVE-2011-2731
CVE-2011-2731 concerns a race condition in the RunAsManager of VMware SpringSource Spring Security. The vulnerability arises when an escalated Authentication object is stored in the shared security context, which could allow another thread to observe or gain privileges. Affected are Spring Securi...
CVE-2011-2732
Spring Security vulnerability (CVE-2011-2732) involves CRLF injection in logout handling via the spring-security-redirect parameter, allowing header injection and HTTP response splitting. Affected versions: 2.0.0–2.0.6 and 3.0.0–3.0.5. Root cause: shared logout code reads the redirect parameter f...
CVE-2011-2894
Spring Framework 3.0.0 through 3.0.5, Spring Security 3.0.0 through 3.0.5 and 2.0.0 through 2.0.6, and possibly other versions deserialize objects from untrusted sources, which allows remote attackers to bypass intended security restrictions and execute untrusted code by 1 serializing a...
Deserialization of untrusted data
Spring Framework 3.0.0 through 3.0.5, Spring Security 3.0.0 through 3.0.5 and 2.0.0 through 2.0.6, and possibly other versions deserialize objects from untrusted sources, which allows remote attackers to bypass intended security restrictions and execute untrusted code by 1 serializing a...
CVE-2011-2894
Spring Framework 3.0.0 through 3.0.5, Spring Security 3.0.0 through 3.0.5 and 2.0.0 through 2.0.6, and possibly other versions deserialize objects from untrusted sources, which allows remote attackers to bypass intended security restrictions and execute untrusted code by 1 serializing a...
CVE-2011-2894
Spring Framework 3.0.0 through 3.0.5, Spring Security 3.0.0 through 3.0.5 and 2.0.0 through 2.0.6, and possibly other versions deserialize objects from untrusted sources, which allows remote attackers to bypass intended security restrictions and execute untrusted code by 1 serializing a...
CVE-2011-2894
CVE-2011-2894 describes insecure deserialization in Spring Framework 3.0.0–3.0.5 and Spring Security 2.0.0–2.0.6 and 3.0.0–3.0.5, where untrusted data can cause remote code execution by deserializing proxies or via exposed internal AOP interfaces (e.g., DefaultListableBeanFactory), enabling arbit...
Security: Chosen commands execution on the server (Framework) or authentication token bypass (Security) by objects de-serialization
Spring Framework 3.0.0 through 3.0.5, Spring Security 3.0.0 through 3.0.5 and 2.0.0 through 2.0.6, and possibly other versions deserialize objects from untrusted sources, which allows remote attackers to bypass intended security restrictions and execute untrusted code by 1 serializing a...
CVE-2011-2731: Spring Security privilege escalation when using RunAsManager
CVE-2011-2731: Spring Security privilege escalation when using RunAsManager Severity: Moderate Versions Affected: 2.0.0 to 2.0.6 3.0.0 to 3.0.5 Earlier versions may also be affected Description: Spring Security provides a mechanism RunAsManager to allow particular operations to run with a differe...
CVE-2011-2732: Spring Security header injection vulnerability
CVE-2011-2732: Spring Security header injection vulnerability Severity: Important Versions Affected: 2.0.0 to 2.0.6 3.0.0 to 3.0.5 Earlier versions may also be affected Description: Spring Security allows the use of a parameter named "spring-security-redirect" by default to determine the location...
CVE-2011-2894: Spring Framework and Spring Security serialization-based remoting vulnerabilities
CVE-2011-2894: Spring Framework and Spring Security serialization-based remoting vulnerabilities Severity: Critical Versions Affected: Spring Framework: 3.0.0 to 3.0.5 Spring Security: 2.0.0 to 2.0.6 3.0.0 to 3.0.5 Earlier versions may also be affected Description: Several issues have been report...