Concurrent Execution using Shared Resource with Improper Synchronization in Spring Security

Race condition in the RunAsManager mechanism in VMware SpringSource Spring Security before 2.0.7 and 3.0.x before 3.0.6 stores the Authentication object in the shared security context, which allows attackers to gain privileges via a crafted thread...

br.net.woodstock.rockframework:rockframework-domain (>=1.2.1 <=1.2.2), com.force.sdk:force-springsecurity (>=22.0.2-BETA <=22.0.9-BETA) +219 more potentially affected by CVE-2011-2731 via org.springframework.security:spring-security-core (>=3.0.0.RELEASE <=3.0.5.RELEASE)

org.springframework.security:spring-security-core MAVEN version =3.0.0.RELEASE, =1.2.1, =22.0.2-BETA, =1.0.0, =3.0.2, =1.2.0, =1.1, =0.1, =1.2-1, =2011.11.07.RELEASE, =2011.11.07.RELEASE, =2011.11.07.RELEASE, =3.49, =3.55 and more Source cves: CVE-2011-2731 Source advisory: OSV:GHSA-4644-HG35-55M...

com.evasion:API (>=1.0.0.1 <=1.0.0.3), com.evasion:CLIENT (>=1.0.0.1 <=1.0.0.3) +104 more potentially affected by CVE-2011-2731 via org.springframework.security:spring-security-core (>=2.0.0 <=2.0.6.RELEASE)

org.springframework.security:spring-security-core MAVEN version =2.0.0, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =2.4.7, =2.4.8 and more Source cves: CVE-2011-2731 Source advisory:...

GHSA-4644-HG35-55M9 Concurrent Execution using Shared Resource with Improper Synchronization in Spring Security

Race condition in the RunAsManager mechanism in VMware SpringSource Spring Security before 2.0.7 and 3.0.x before 3.0.6 stores the Authentication object in the shared security context, which allows attackers to gain privileges via a crafted thread...

VMware Spring Security 授权问题漏洞

VMware Spring Security is a security framework from VMware that provides illustrative security protections for Spring-based applications. An authorization issue vulnerability exists in VMware Spring Security that stems from the use of RegexRequestMatcher and the wildcard . character of a regular...

CVE-2022-22976: BCrypt skips salt rounds for work factor of 31

Spring Security 5.7.0, 5.6.4, 5.5.7 were released to fix CVE-2022-22976: BCrypt skips salt rounds for work factor of 31. Please update as soon as possible...

CVE-2022-22978: Authorization Bypass in RegexRequestMatcher

UPDATES 05-17 Due to a mixup CVE-2022-22975 should have been CVE-2022-22978. The blog has been updated to reflect this correction. CVE-2022-22978 : Authorization Bypass in RegexRequestMatcher Spring Security 5.7.0, 5.6.4, 5.5.7 were released to fix CVE-2022-22978 : Authorization Bypass in...

com.evasion:API (>=1.0.0.1 <=1.0.0.3), com.evasion:CLIENT (>=1.0.0.1 <=1.0.0.3) +104 more potentially affected by CVE-2011-2894 via org.springframework.security:spring-security-core (>=2.0.0 <=2.0.6.RELEASE)

org.springframework.security:spring-security-core MAVEN version =2.0.0, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =2.4.7, =2.4.8 and more Source cves: CVE-2011-2894 Source advisory:...

br.net.woodstock.rockframework:rockframework-domain (>=1.2.1 <=1.2.2), com.force.sdk:force-springsecurity (>=22.0.2-BETA <=22.0.9-BETA) +219 more potentially affected by CVE-2011-2894 via org.springframework.security:spring-security-core (>=3.0.0.RELEASE <=3.0.5.RELEASE)

org.springframework.security:spring-security-core MAVEN version =3.0.0.RELEASE, =1.2.1, =22.0.2-BETA, =1.0.0, =3.0.2, =1.2.0, =1.1, =0.1, =1.2-1, =2011.11.07.RELEASE, =2011.11.07.RELEASE, =2011.11.07.RELEASE, =3.49, =3.55 and more Source cves: CVE-2011-2894 Source advisory: OSV:GHSA-F866-M9MV-2XR...

Spring Framework and Spring Security vulnerable to Deserialization of Untrusted Data

Spring Framework 3.0.0 through 3.0.5, Spring Security 3.0.0 through 3.0.5 and 2.0.0 through 2.0.6, and possibly other versions deserialize objects from untrusted sources, which allows remote attackers to bypass intended security restrictions and execute untrusted code by 1 serializing a...

com.evasion:API (>=1.0.0.1 <=1.0.0.3), com.evasion:CLIENT (>=1.0.0.1 <=1.0.0.3) +103 more potentially affected by CVE-2010-3700 via org.springframework.security:spring-security-core (>=2.0.0 <=2.0.5.RELEASE)

org.springframework.security:spring-security-core MAVEN version =2.0.0, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =2.4.7, =2.4.8 and more Source cves: CVE-2010-3700 Source advisory:...

GHSA-3295-H9QX-R82X Authentication Bypass Using an Alternate Path or Channel in SpringSource Spring Security and Acegi Security

VMware SpringSource Spring Security 2.x before 2.0.6 and 3.x before 3.0.4, and Acegi Security 1.0.0 through 1.0.7, as used in IBM WebSphere Application Server WAS 6.1 and 7.0, allows remote attackers to bypass security constraints via a path parameter...

br.net.woodstock.rockframework:rockframework-domain (>=1.2.1 <=1.2.2), com.force.sdk:force-springsecurity (>=22.0.2-BETA <=22.0.9-BETA) +30 more potentially affected by CVE-2010-3700 via org.springframework.security:spring-security-core (>=3.0.0.RELEASE <=3.0.3.RELEASE)

org.springframework.security:spring-security-core MAVEN version =3.0.0.RELEASE, =1.2.1, =22.0.2-BETA, =1.2.0, =1.1, =1.2-1, =3.49, =1.4.5.1, =2.4.0, =2.4.0, =1.20, =1.6, =1.6, =1.6, =3.9.SS3, =3.19.SS3 and more Source cves: CVE-2010-3700 Source advisory: OSV:GHSA-3295-H9QX-R82X...

Authentication Bypass Using an Alternate Path or Channel in SpringSource Spring Security and Acegi Security

VMware SpringSource Spring Security 2.x before 2.0.6 and 3.x before 3.0.4, and Acegi Security 1.0.0 through 1.0.7, as used in IBM WebSphere Application Server WAS 6.1 and 7.0, allows remote attackers to bypass security constraints via a path parameter...

Security Bulletin: IBM Sterling B2B Integrator vulnerable to multiple vulnerabilities due to Spring Security

Summary Spring Security is used by IBM Sterling B2B Integrator. Multiple Spring Security vulnerabilities have been addressed. Vulnerability Details CVEID: CVE-2019-3795 DESCRIPTION: Pivotal Spring Security could provide weaker than expected security, caused by an insecure randomness flaw when usi...

GHSA-VHRG-V3CV-P247 Deserialization of Untrusted Data in Spring Security

An issue was discovered in Pivotal Spring Security 4.2.0.RELEASE through 4.2.2.RELEASE, and Spring Security 5.0.0.M1. When configured to enable default typing, Jackson contained a deserialization vulnerability that could lead to arbitrary code execution. Jackson fixed this vulnerability by...

Deserialization of Untrusted Data in Spring Security

An issue was discovered in Pivotal Spring Security 4.2.0.RELEASE through 4.2.2.RELEASE, and Spring Security 5.0.0.M1. When configured to enable default typing, Jackson contained a deserialization vulnerability that could lead to arbitrary code execution. Jackson fixed this vulnerability by...

am.ik.home:uaa-client (>=1.3.0 <=1.9.0), am.ik.home:uaa-integration-test (>=1.3.0 <=1.9.0) +1072 more potentially affected by CVE-2017-4995 via org.springframework.security:spring-security-core (>=4.2.0.RELEASE <=4.2.2.RELEASE)

org.springframework.security:spring-security-core MAVEN version =4.2.0.RELEASE, =1.3.0, =1.3.0, =1.3.0, =1.1.1, =0.2.0, =1.0.3, =3.0.3, =3.0.3, =3.0.3, =3.0.5, =A.1.1.1, =A.2.0.0, =A.1.1.1, =A.2.0.0, =A.2.0.0.RC1 and more Source cves: CVE-2017-4995 Source advisory: OSV:GHSA-VHRG-V3CV-P247...

com.aerse:gcless (=11.2), com.aerse:spring-security-taglib (=1.1) +344 more potentially affected by CVE-2014-0097 via org.springframework.security:spring-security-core (>=3.2.0.RELEASE <=3.2.1.RELEASE)

org.springframework.security:spring-security-core MAVEN version =3.2.0.RELEASE, =3.3.2, =1.0.6, =1.0.1, =0.0.1, =1.0.0, =1.0.0, =1.8.2, =1.8.3 and more Source cves: CVE-2014-0097 Source advisory: OSV:GHSA-GV9V-C375-HVMG...

be.dnsbelgium:rdap-server (>=0.3.3 <=1.0.3), com.arsframework:ars-module-cms (>=1.0.0 <=1.1.4) +379 more potentially affected by CVE-2014-0097 via org.springframework.security:spring-security-core (>=3.1.0.RELEASE <=3.1.4.RELEASE)

org.springframework.security:spring-security-core MAVEN version =3.1.0.RELEASE, =0.3.3, =1.0.0, =1.0.0, =1.0.0, =1.2.1, =1.2.1, =1.3.6, =1.0.0-alpha2, =1.5, =1.0.0, =3.0.4, =3.0.5 - com.github.ptomli.bedrock:bedrock-core =1.0.0 - com.github.yongjacky:jee.borneo.miri =1.1.6 -...