PT-2025-22336 · Spring · Spring Security Aspects

Name of the Vulnerable Software and Affected Versions: Spring Security Aspects affected versions not specified Description: The issue concerns Spring Security Aspects not correctly locating method security annotations on private methods, potentially causing an authorization bypass. This can affec...

Security Bulletin: Vulnerabilities in Spring Boot, Spring Security and Spring Framework might affect IBM Storage Defender Copy Data Management.

Summary IBM Storage Defender Copy Data Management can be affected by vulnerabilities in Spring Boot, Spring Security and Spring Framework. Vulnerabilities include an attacker could exploit this vulnerability to execute arbitrary code, obtain system and session information and cause a denial of...

Spring Boot EndpointRequest.to() creates wrong matcher if actuator endpoint is not exposed

EndpointRequest.to creates a matcher for null/ if the actuator endpoint, for which the EndpointRequest has been created, is disabled or not exposed. Your application may be affected by this if all the following conditions are met: You use Spring Security EndpointRequest.to has been used in a Spri...

CVE-2025-22235

EndpointRequest.to creates a matcher for null/ if the actuator endpoint, for which the EndpointRequest has been created, is disabled or not exposed. Your application may be affected by this if all the following conditions are met: You use Spring Security EndpointRequest.to has been used in a Spri...

UBUNTU-CVE-2025-22235

EndpointRequest.to creates a matcher for null/ if the actuator endpoint, for which the EndpointRequest has been created, is disabled or not exposed. Your application may be affected by this if all the following conditions are met: You use Spring Security EndpointRequest.to has been used in a Spri...

CVE-2025-22235 Spring Boot EndpointRequest.to() creates wrong matcher if actuator endpoint is not exposed

EndpointRequest.to creates a matcher for null/ if the actuator endpoint, for which the EndpointRequest has been created, is disabled or not exposed. Your application may be affected by this if all the following conditions are met: You use Spring Security EndpointRequest.to has been used in a Spri...

CVE-2025-22235

CVE-2025-22235 : EndpointRequest.to() creates a matcher for /null when the actuator endpoint is disabled or not exposed. IBM advisories confirm this CVE as addressed by IBM Library Support for Spring: upgrade to fixed versions in the remediation table (e.g., IBM Library Support for Spring 6.2.x →...

CVE-2025-22235 Spring Boot EndpointRequest.to() creates wrong matcher if actuator endpoint is not exposed

EndpointRequest.to creates a matcher for null/ if the actuator endpoint, for which the EndpointRequest has been created, is disabled or not exposed. Your application may be affected by this if all the following conditions are met: You use Spring Security EndpointRequest.to has been used in a Spri...

PT-2025-18049

Name of the Vulnerable Software and Affected Versions Spring Boot version 2.7.x Description The issue arises when EndpointRequest.to creates a matcher for null/ if the actuator endpoint, for which the EndpointRequest has been created, is disabled or not exposed. An application may be affected if ...

PT-2025-17727

Name of the Vulnerable Software and Affected Versions Spring Security affected versions not specified Description The issue introduces a username enumeration vector. It affects the BCryptPasswordEncoder's maximum password length, which breaks timing attack mitigation. Recommendations At the momen...

This Week in Spring - April 22nd, 2025

Hi, Spring fans! Welcome to another installment of This Week in Spring , which I'm writing from magnificent Minneapolis, Minnesota, where I'm recording an amazing Frontend Masters course introducing Spring Boot. I love this article introducing Spring AI in JavaPro magazine Want to run an LLM...

Timing Attack

Overview org.springframework.security:spring-security-crypto is a spring-security-crypto library for Spring Security. Affected versions of this package are vulnerable to Timing Attack due to an unintentional bypass for DaoAuthenticationProvider constant time controls, which was caused by the fix...

be.personify.iam:personify-frontend (>=1.5.4.RELEASE <=1.5.7.RELEASE), ch.admin.bit.jeap:jeap-archrepo-instance (>=1.12.0 <=1.14.0) +1654 more potentially affected by CVE-2025-22228 +1 more via org.springframework.security:spring-security-crypto (=6.4.4)

org.springframework.security:spring-security-crypto MAVEN version =6.4.4 is affected by a known vulnerability. The following packages have a transitive dependency on org.springframework.security:spring-security-crypto and may be impacted: - be.personify.iam:personify-frontend =1.5.4.RELEASE,...

spring-security-core: Spring Security BCryptPasswordEncoder does not enforce maximum password length

A flaw was found in the spring-security-core password encoder. This vulnerability allows incorrect password matching via input manipulation...

Authorization Bypass

org.springframework.security, spring-security-core is vulnerable to Authorization Bypass. The vulnerability is due to improper method security annotation detection due to issues in locating annotations on parameterized types or methods, allowing an attacker to access methods or resources without...

org.apache.camel.karaf:camel-undertow (>=4.8.1 <=4.8.5), org.apache.camel.springboot:camel-undertow-spring-security-starter (>=4.8.0 <=4.8.5) +3 more potentially affected by CVE-2025-27636 +2 more via org.apache.camel:camel-undertow (>=4.8.0 <=4.8.5)

org.apache.camel:camel-undertow MAVEN version =4.8.0, =4.8.1, =4.8.0, =4.8.0, =4.8.0, =4.8.0, =4.8.5 Source cves: CVE-2025-27636, CVE-2025-29891, CVE-2025-30177 Source advisory: SNYK:JAVA-ORGAPACHECAMEL-9598038...

Security Bulletin: IBM InfoSphere Information Server is affected by a vulnerability in VMware Tanzu Spring Security (CVE-2024-38827)

Summary A vulnerability in VMware Tanzu Spring Security that is used by InfoSphere Information Server was addressed. Vulnerability Details CVEID:CVE-2024-38827 DESCRIPTION: VMware Tanzu Spring Security could allow a remote attacker to bypass security restrictions, caused by a locale dependent...

Improper Password Verification

org.springframework.security, spring-security-crypto is vulnerable to Improper password verification. The vulnerability is due to BCrypt's 72-character password truncation causing BCryptPasswordEncoder.matches to validate only the first 72 characters, allowing incorrect password acceptance...

Spring Security 5.7 < 5.7.16 / 5.8 < 5.8.18 / 6.0 < 6.0.16 / 6.1 < 6.1.14 / 6.2 < 6.2.10 / 6.3 < 6.3.8 / 6.4 < 6.4.4 Authentication Bypass (CVE-2025-22228)

The remote host contains a Spring Security version that is 5.7 prior to 5.7.16, 5.8 prior to 5.8.18, 6.0 prior to 6.0.16, 6.1 prior to 6.1.14, 6.2 prior to 6.2.10, or 6.3 prior to 6.3.8, 6.4 prior to 6.4.4. It may, therefore, be affected by an authentication bypass vulnerability...

Security Bulletin: Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for November 2023.

Summary Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation 21.0.3-IF027 and 23.0.1-IF005. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details CVEID:CVE-2023-46158 DESCRIPTION: IBM WebSphere Application Server...