UBUNTU-CVE-2022-22976

Spring Security versions 5.5.x prior to 5.5.7, 5.6.x prior to 5.6.4, and earlier unsupported versions contain an integer overflow vulnerability. When using the BCrypt class with the maximum work factor 31, the encoder does not perform any salt rounds, due to an integer overflow error. The default...

Authorization

In spring security versions prior to 5.4.11+, 5.5.7+ , 5.6.4+ and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with . in the regular expression are possibly vulnerable to an...

UBUNTU-CVE-2022-22978

In spring security versions prior to 5.4.11+, 5.5.7+ , 5.6.4+ and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with . in the regular expression are possibly vulnerable to an...

CVE-2022-22978

In spring security versions prior to 5.4.11+, 5.5.7+ , 5.6.4+ and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with . in the regular expression are possibly vulnerable to an...

CVE-2022-22976

Spring Security versions 5.5.x prior to 5.5.7, 5.6.x prior to 5.6.4, and earlier unsupported versions contain an integer overflow vulnerability. When using the BCrypt class with the maximum work factor 31, the encoder does not perform any salt rounds, due to an integer overflow error. The default...

CVE-2022-22976

CVE-2022-22976 affects Spring Security: when using BCrypt with maximum work factor (31), the encoder skips salt rounds due to an integer overflow. Affected: Spring Security 5.5.x before 5.5.7 and 5.6.x before 5.6.4 (plus unsupported earlier versions). Default settings are not affected. Remediatio...

CVE-2022-22978

In spring security versions prior to 5.4.11+, 5.5.7+ , 5.6.4+ and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with . in the regular expression are possibly vulnerable to an...

PT-2022-3458

Name of the Vulnerable Software and Affected Versions Spring Security versions prior to 5.4.11 Spring Security versions prior to 5.5.7 Spring Security versions prior to 5.6.4 Spring Security older unsupported versions Description The issue is related to the RegexRequestMatcher component in Spring...

CVE-2022-22978

CVE-2022-22978 involves a bypass in Spring Security’s RegexRequestMatcher where a dot (.) in the regex can bypass authorization on certain servlet containers. Affected are Spring Security versions prior to 5.4.11+, 5.5.7+, 5.6.4+ and older unsupported releases. Connected reports show remediation ...

CVE-2022-22978

A flaw was found in Spring Security. When using RegexRequestMatcher, an easy misconfiguration can bypass some servlet containers. Applications using RegexRequestMatcher with . in the regular expression are possibly vulnerable to an authorization bypass...

acegisecurity:acegi-security-resin (=0.9.0), ch.qos.logback:logback-access (>=${parent.version} <=0.3) +3 more potentially affected by CVE-2012-2965 via com.caucho:resin (=3.0.9)

com.caucho:resin MAVEN version =3.0.9 is affected by a known vulnerability. The following packages have a transitive dependency on com.caucho:resin and may be impacted: - acegisecurity:acegi-security-resin =0.9.0 - ch.qos.logback:logback-access =$parent.version, =2.3.0, =1.0.0, =2.0.0, =2.0.4...

acegisecurity:acegi-security-resin (=0.9.0), ch.qos.logback:logback-access (>=${parent.version} <=0.3) +3 more potentially affected by CVE-2012-2967 via com.caucho:resin (=3.0.9)

com.caucho:resin MAVEN version =3.0.9 is affected by a known vulnerability. The following packages have a transitive dependency on com.caucho:resin and may be impacted: - acegisecurity:acegi-security-resin =0.9.0 - ch.qos.logback:logback-access =$parent.version, =2.3.0, =1.0.0, =2.0.0, =2.0.4...

com.evasion:API (>=1.0.0.1 <=1.0.0.3), com.evasion:CLIENT (>=1.0.0.1 <=1.0.0.3) +104 more potentially affected by CVE-2011-2732 via org.springframework.security:spring-security-core (>=2.0.0 <=2.0.6.RELEASE)

org.springframework.security:spring-security-core MAVEN version =2.0.0, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =2.4.7, =2.4.8 and more Source cves: CVE-2011-2732 Source advisory:...

GHSA-5XM9-RF63-WJ7H Improper Control of Generation of Code in Spring Security

CRLF injection vulnerability in the logout functionality in VMware SpringSource Spring Security before 2.0.7 and 3.0.x before 3.0.6 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the spring-security-redirect parameter...

Improper Control of Generation of Code in Spring Security

CRLF injection vulnerability in the logout functionality in VMware SpringSource Spring Security before 2.0.7 and 3.0.x before 3.0.6 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the spring-security-redirect parameter...

br.net.woodstock.rockframework:rockframework-domain (>=1.2.1 <=1.2.2), com.force.sdk:force-springsecurity (>=22.0.2-BETA <=22.0.9-BETA) +219 more potentially affected by CVE-2011-2732 via org.springframework.security:spring-security-core (>=3.0.0.RELEASE <=3.0.5.RELEASE)

org.springframework.security:spring-security-core MAVEN version =3.0.0.RELEASE, =1.2.1, =22.0.2-BETA, =1.0.0, =3.0.2, =1.2.0, =1.1, =0.1, =1.2-1, =2011.11.07.RELEASE, =2011.11.07.RELEASE, =2011.11.07.RELEASE, =3.49, =3.55 and more Source cves: CVE-2011-2732 Source advisory: OSV:GHSA-5XM9-RF63-WJ7...

br.net.woodstock.rockframework:rockframework-domain (>=1.2.1 <=3.0.1), br.net.woodstock.rockframework:rockframework-persistence (>=2.0.0 <=2.0.8) +270 more potentially affected by CVE-2012-5055 via org.springframework.security:spring-security-core (>=3.0.0.RELEASE <=3.0.7.RELEASE)

org.springframework.security:spring-security-core MAVEN version =3.0.0.RELEASE, =1.2.1, =2.0.0, =22.0.2-BETA, =1.0.0, =3.0.2, =3.0.0, =1.2.0, =1.1, =0.1, =1.2-1, =1.0, =1.0.2 - com.revolsys.open:com.revolsys.open.gis.web =2011.11.07.RELEASE and more Source cves: CVE-2012-5055 Source advisory:...

com.ctlok:spring-webmvc-rythm (>=1.3.6 <=1.4.2), com.github.dblock.waffle:waffle-spring-security3 (>=1.5 <=1.6) +171 more potentially affected by CVE-2012-5055 via org.springframework.security:spring-security-core (>=3.1.0.RELEASE <=3.1.2.RELEASE)

org.springframework.security:spring-security-core MAVEN version =3.1.0.RELEASE, =1.3.6, =1.5, =1.0.0, =3.0.4, =3.3, =1.1.3, =1.1.4, =1.1.3, =1.0.2, =1.0.3 - com.racquettrack:spring-security-oauth2-client =1.4 - com.sitewhere:sitewhere-core =0.9.7 and more Source cves: CVE-2012-5055 Source advisor...

com.evasion:API (>=1.0.0.1 <=1.0.0.3), com.evasion:CLIENT (>=1.0.0.1 <=1.0.0.3) +300 more potentially affected by CVE-2012-5055 via org.springframework.security:spring-security-core (>=2.0.0 <=2.0.7.RELEASE)

org.springframework.security:spring-security-core MAVEN version =2.0.0, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.5, =1.6 and more Source cves: CVE-2012-5055 Source advisory: OSV:GHSA-3533-RVPC-6X...

GHSA-3533-RVPC-6X56 Exposure of Sensitive Information to an Unauthorized Actor in Spring Security

DaoAuthenticationProvider in VMware SpringSource Spring Security before 2.0.8, 3.0.x before 3.0.8, and 3.1.x before 3.1.3 does not check the password if the user is not found, which makes the response delay shorter and might allow remote attackers to enumerate valid usernames via a series of logi...