1189 matches found
CVE-2020-5408
CVE-2020-5408 (IBM) affects IBM Sterling Connect:Direct Web Services. A fixed null initialization vector in CBC mode for the queryable text encryptor may allow a dictionary attack to derive unencrypted values, exposing sensitive information. Remediation is via upgrading to supported fixes: IBM St...
CVE-2020-5408 Dictionary attack with Spring Security queryable text encryptor
Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has...
VMware Spring Security Data Forgery Issue Vulnerability
VMware Spring Security is a set of security frameworks from VMware that provide illustrative security for Spring-based applications. A data forgery issue vulnerability exists in VMware Spring Security versions 5.2.x prior to 5.2.4 and 5.3.x prior to 5.3.2. A remote attacker could exploit this...
CVE-2020-5407
Spring Security versions 5.2.x prior to 5.2.4 and 5.3.x prior to 5.3.2 contain a signature wrapping vulnerability during SAML response validation. When using the spring-security-saml2-service-provider component, a malicious user can carefully modify an otherwise valid SAML response and append an...
CVE-2020-5407
Spring Security versions 5.2.x prior to 5.2.4 and 5.3.x prior to 5.3.2 contain a signature wrapping vulnerability during SAML response validation. When using the spring-security-saml2-service-provider component, a malicious user can carefully modify an otherwise valid SAML response and append an...
Code injection
Spring Security versions 5.2.x prior to 5.2.4 and 5.3.x prior to 5.3.2 contain a signature wrapping vulnerability during SAML response validation. When using the spring-security-saml2-service-provider component, a malicious user can carefully modify an otherwise valid SAML response and append an...
CVE-2020-5407
Spring Security versions 5.2.x prior to 5.2.4 and 5.3.x prior to 5.3.2 contain a signature wrapping vulnerability during SAML response validation. When using the spring-security-saml2-service-provider component, a malicious user can carefully modify an otherwise valid SAML response and append an...
CVE-2020-5407 Signature Wrapping Vulnerability with spring-security-saml2-service-provider
Spring Security versions 5.2.x prior to 5.2.4 and 5.3.x prior to 5.3.2 contain a signature wrapping vulnerability during SAML response validation. When using the spring-security-saml2-service-provider component, a malicious user can carefully modify an otherwise valid SAML response and append an...
CVE-2020-5407
CVE-2020-5407 describes a signature-wrapping vulnerability in Spring Security (affecting the spring-security-saml2-service-provider path) where an attacker can modify a valid SAML response to inject an arbitrary assertion. Affected are Spring Security 5.2.x before 5.2.4 and 5.3.x before 5.3.2. Ex...
Cross-Site Request Forgery (CSRF)
spring-security-web is vulnerable to cross-site forgery request CSRF. A remote attacker is able to submit requests to the SwitchUserFilter on behalf of the authenticated user by tricking the user into visiting a malicious web page. This vulnerability exists as the application accepts all HTTP...
spring-security-core: mishandling of user passwords allows logging in with a password of NULL
A flaw was found in Spring Security in several versions, in the use of plain text passwords using the PlaintextPasswordEncoder. If an application is using an affected version of Spring Security with the PlaintextPasswordEncoder and a user has a null encoded password, an attacker can use this flaw...
Important: Red Hat Security Advisory: Red Hat Fuse 7.6.0 security update
A minor version update from 7.5 to 7.6 is now available for Red Hat Fuse. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring...
Spring Security OAuth Installed
Binary data pivotalsoftwarespringsecurityoauthinstalled.nbin...
Spring Security Installed
Binary data pivotalsoftwarespringsecurityinstalled.nbin...
Hard-Coded Key Used For Remember-me Token in Opencast
Impact The security configuration in etc/security/mhdefaultorg.xml enables a remember-me cookie based on a hash created from the username, password, and an additional system key. Opencast has hard-coded this system key in the large XML file and never mentions to change this, basically ensuring th...
CVE-2019-11272
A flaw was found in Spring Security in several versions, in the use of plain text passwords using the PlaintextPasswordEncoder. If an application is using an affected version of Spring Security with the PlaintextPasswordEncoder and a user has a null encoded password, an attacker can use this flaw...
The vulnerability of the PlaintextPasswordEncoder class implementation in the Java framework for securing Spring Security industrial applications allows a perpetrator to gain unauthorized access to protected information.
The vulnerability of the PlaintextPasswordEncoder class implementation in the Spring Security Java framework, which is designed for securing industrial applications, is related to deficiencies in managing registration data. Exploiting this vulnerability could allow an attacker, operating remotely...
spring-security-oauth: Privilege escalation by manipulating saved authorization request
Spring Security OAuth, versions 2.3 prior to 2.3.4, and 2.2 prior to 2.2.3, and 2.1 prior to 2.1.3, and 2.0 prior to 2.0.16, and older unsupported versions could be susceptible to a privilege escalation under certain conditions. A malicious user or attacker can craft a request to the approval...
spring-security-core: Unauthorized Access with Spring Security Method Security
Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted...
Important: Red Hat Security Advisory: Red Hat Fuse 7.4.0 security update
A minor version update from 7.3 to 7.4 is now available for Red Hat Fuse. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring...