1124 matches found
CVE-2020-5407
Spring Security versions 5.2.x prior to 5.2.4 and 5.3.x prior to 5.3.2 contain a signature wrapping vulnerability during SAML response validation. When using the spring-security-saml2-service-provider component, a malicious user can carefully modify an otherwise valid SAML response and append an...
Code injection
Spring Security versions 5.2.x prior to 5.2.4 and 5.3.x prior to 5.3.2 contain a signature wrapping vulnerability during SAML response validation. When using the spring-security-saml2-service-provider component, a malicious user can carefully modify an otherwise valid SAML response and append an...
CVE-2020-5407
Spring Security versions 5.2.x prior to 5.2.4 and 5.3.x prior to 5.3.2 contain a signature wrapping vulnerability during SAML response validation. When using the spring-security-saml2-service-provider component, a malicious user can carefully modify an otherwise valid SAML response and append an...
CVE-2020-5407 Signature Wrapping Vulnerability with spring-security-saml2-service-provider
Spring Security versions 5.2.x prior to 5.2.4 and 5.3.x prior to 5.3.2 contain a signature wrapping vulnerability during SAML response validation. When using the spring-security-saml2-service-provider component, a malicious user can carefully modify an otherwise valid SAML response and append an...
CVE-2020-5407
CVE-2020-5407 describes a signature-wrapping vulnerability in Spring Security (affecting the spring-security-saml2-service-provider path) where an attacker can modify a valid SAML response to inject an arbitrary assertion. Affected are Spring Security 5.2.x before 5.2.4 and 5.3.x before 5.3.2. Ex...
Cross-Site Request Forgery (CSRF)
spring-security-web is vulnerable to cross-site forgery request CSRF. A remote attacker is able to submit requests to the SwitchUserFilter on behalf of the authenticated user by tricking the user into visiting a malicious web page. This vulnerability exists as the application accepts all HTTP...
spring-security-core: mishandling of user passwords allows logging in with a password of NULL
A flaw was found in Spring Security in several versions, in the use of plain text passwords using the PlaintextPasswordEncoder. If an application is using an affected version of Spring Security with the PlaintextPasswordEncoder and a user has a null encoded password, an attacker can use this flaw...
Important: Red Hat Security Advisory: Red Hat Fuse 7.6.0 security update
A minor version update from 7.5 to 7.6 is now available for Red Hat Fuse. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring...
Spring Security OAuth Installed
Binary data pivotalsoftwarespringsecurityoauthinstalled.nbin...
Spring Security Installed
Binary data pivotalsoftwarespringsecurityinstalled.nbin...
Hard-Coded Key Used For Remember-me Token in Opencast
Impact The security configuration in etc/security/mhdefaultorg.xml enables a remember-me cookie based on a hash created from the username, password, and an additional system key. Opencast has hard-coded this system key in the large XML file and never mentions to change this, basically ensuring th...
CVE-2019-11272
A flaw was found in Spring Security in several versions, in the use of plain text passwords using the PlaintextPasswordEncoder. If an application is using an affected version of Spring Security with the PlaintextPasswordEncoder and a user has a null encoded password, an attacker can use this flaw...
spring-security-oauth: Privilege escalation by manipulating saved authorization request
Spring Security OAuth, versions 2.3 prior to 2.3.4, and 2.2 prior to 2.2.3, and 2.1 prior to 2.1.3, and 2.0 prior to 2.0.16, and older unsupported versions could be susceptible to a privilege escalation under certain conditions. A malicious user or attacker can craft a request to the approval...
spring-security-core: Unauthorized Access with Spring Security Method Security
Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted...
Important: Red Hat Security Advisory: Red Hat Fuse 7.4.0 security update
A minor version update from 7.3 to 7.4 is now available for Red Hat Fuse. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring...
Debian DLA-1848-1 : libspring-security-2.0-java security update
Spring Security support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user or attacker can authenticate using a password of 'null'. For...
[SECURITY] [DLA 1848-1] libspring-security-2.0-java security update
Package : libspring-security-2.0-java Version : 2.0.7.RELEASE-3+deb8u2 CVE ID : CVE-2019-11272 Spring Security support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null...
Security Bulletin: Remote code execution vulnerability (CVE-2019-11269) affects IBM Spectrum Symphony 7.2.1 and 7.2.0.2
Summary A remote code execution vulnerability exists in the Spring Security OAuth version used by IBM Spectrum Symphony 7.2.1 and 7.2.0.2. Interim fixes that provide instructions on upgrading the Spring Security OAuth package to version 2.0.18 which resolves this vulnerability are available on IB...
Insufficiently Protected Credentials and Improper Authentication in Spring Security
Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user ...
ai.foremast.metrics:foremast-spring-boot-1x-k8s-metrics-starter (>=0.1.6 <=0.1.7), ai.foremast.metrics:foremast-spring-boot-k8s-metrics-starter (>=0.1.4-SB1X <=0.1.4-SB1X_6) +2588 more potentially affected by CVE-2019-11272 via org.springframework.security:spring-security-core (>=2.0.0 <=4.2.12.RELEASE)
org.springframework.security:spring-security-core MAVEN version =2.0.0, =0.1.6, =0.1.4-SB1X, =1.0.0, =1.0.0, =1.0.0, =1.1.0.RELEASE, =1.1.1, =1.3.1-RELEASE, =0.3.3, =0.1, =1.0.0, =1.2.1, =2.0.0, =3.0.3, =3.0.6 and more Source cves: CVE-2019-11272 Source advisory: OSV:GHSA-V33X-PRHC-GPH5...