PT-2024-19292 · Spring · Spring Authorization Server

Name of the Vulnerable Software and Affected Versions: Spring Authorization Server versions 1.0.0 through 1.0.5 Spring Authorization Server versions 1.1.0 through 1.1.5 Spring Authorization Server versions 1.2.0 through 1.2.2 Spring Authorization Server older unsupported versions Description: The...

This Week in Spring - March 19th, 2024

Hi, Spring fans! And happy Java 22 release day to those who celebrate! I just put out a huge blog detailing many of the exciting new features in Java 22. Check it out! As usual, we've got a packed roundup to get through this week so let's dive right into it! the Spring Authorization Server 1.3.0-...

Token Exchange support in Spring Security 6.3.0-M3

I'm excited to share that the there will be support for the OAuth 2.0 Token Exchange Grant RFC 8693 in Spring Security 6.3, which is available for preview now in the latest milestone 6.3.0-M3. This support provides the ability to use Token Exchange with OAuth2 Client. Similarly, server-side suppo...

CVE-2024-22257

A broken access control flaw was found in Spring Security. Applications may be vulnerable when directly using the AuthenticatedVotervote passing a NULL authentication parameter. Mitigation Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to...

cn.sparrowmini:sparrow-org-service (=0.0.1), cn.sparrowmini:sparrow-pem-service (=0.0.1) +435 more potentially affected by CVE-2024-22257 via org.springframework.security:spring-security-core (>=5.8.0 <=5.8.10)

org.springframework.security:spring-security-core MAVEN version =5.8.0, =1.48.0, =1.48.0, =1.48.0, =2.4.0, =2.4.0, =2.4.0, =3.7.0, =3.7.0, =3.7.0, =3.7.0, =1.3.1, =1.3.2 - com.gitlab.summer-cattle:cattle-addons-wechat-starter =0.0.5 - com.gitlab.summer-cattle:cattle-commons-web-mvc =0.0.6 and mor...

africa.absa:inception-api (>=1.0.0 <=1.2.0), africa.absa:inception-codes-api (>=1.0.0 <=1.2.0) +9246 more potentially affected by CVE-2024-22257 via org.springframework.security:spring-security-core (>=2.0.0 <=5.7.11)

org.springframework.security:spring-security-core MAVEN version =2.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =4.4.0.0, =0.1.8, =0.1.6, =0.1.7 and more Source cves: CVE-2024-22257 Source advisory: OSV:GHSA-F3JH-QVM4-MG39...

Erroneous authentication pass in Spring Security

In Spring Security, versions 5.7.x prior to 5.7.12, 5.8.x prior to 5.8.11, versions 6.0.x prior to 6.0.9, versions 6.1.x prior to 6.1.8, versions 6.2.x prior to 6.2.3, an application is possible vulnerable to broken access control when it directly uses the AuthenticatedVotervote passing a null...

app.valuationcontrol:library (>=0.5.2 <=0.5.6), app.valuationcontrol:webservice (>=0.5.0 <=0.5.1) +1433 more potentially affected by CVE-2024-22257 via org.springframework.security:spring-security-core (>=6.2.0 <=6.2.2)

org.springframework.security:spring-security-core MAVEN version =6.2.0, =0.5.2, =0.5.0, =7.0.0, =1.0.0, =v1.0.26, =1.0.18, =1.0.2, =1.0.2, =1.0.11, =3.2.0.0, =3.2.0.0, =3.2.0.0, =3.2.0.0, =3.2.2.2 and more Source cves: CVE-2024-22257 Source advisory: OSV:GHSA-F3JH-QVM4-MG39...

be.jidoka:jdk-keycloak-admin (>=2.0.0 <=2.2.0), be.personify.iam:personify-frontend (>=1.5.1.RELEASE <=1.5.2.RELEASE) +1605 more potentially affected by CVE-2024-22257 via org.springframework.security:spring-security-core (>=6.0.0 <=6.1.7)

org.springframework.security:spring-security-core MAVEN version =6.0.0, =2.0.0, =1.5.1.RELEASE, =1.1.0, =1.1.0, =1.1.4.2, =1.1.5 - cc.vihackerframework:vihacker-auth-starter =1.0.8.R - cc.vihackerframework:vihacker-common-starter =1.0.8.R - cc.vihackerframework:vihacker-log-starter =1.0.8.R -...

GHSA-F3JH-QVM4-MG39 Erroneous authentication pass in Spring Security

In Spring Security, versions 5.7.x prior to 5.7.12, 5.8.x prior to 5.8.11, versions 6.0.x prior to 6.0.9, versions 6.1.x prior to 6.1.8, versions 6.2.x prior to 6.2.3, an application is possible vulnerable to broken access control when it directly uses the AuthenticatedVotervote passing a null...

CVE-2024-22257

In Spring Security, versions 5.7.x prior to 5.7.12, 5.8.x prior to 5.8.11, versions 6.0.x prior to 6.0.9, versions 6.1.x prior to 6.1.8, versions 6.2.x prior to 6.2.3, an application is possible vulnerable to broken access control when it directly uses the AuthenticatedVotervote passing a null...

CVE-2024-22257

In Spring Security, versions 5.7.x prior to 5.7.12, 5.8.x prior to 5.8.11, versions 6.0.x prior to 6.0.9, versions 6.1.x prior to 6.1.8, versions 6.2.x prior to 6.2.3, an application is possible vulnerable to broken access control when it directly uses the AuthenticatedVotervote passing a null...

CVE-2024-22257

In Spring Security, versions 5.7.x prior to 5.7.12, 5.8.x prior to 5.8.11, versions 6.0.x prior to 6.0.9, versions 6.1.x prior to 6.1.8, versions 6.2.x prior to 6.2.3, an application is possible vulnerable to broken access control when it directly uses the AuthenticatedVotervote passing a null...

CVE-2024-22257

CVE-2024-22257 refers to a broken access control in Spring Security where an application vulnerable if it directly uses AuthenticatedVoter.vote with a null Authentication. The entry lists affected versions: 5.7.x prior to 5.7.12, 5.8.x prior to 5.8.11, 6.0.x prior to 6.0.9, 6.1.x prior to 6.1.8, ...

VMware Spring Boot < 2.7.20.1, 3.0.x < 3.0.15.1, 3.1.x < 3.1.10, 3.2.x < 3.2.4 SSRF Vulnerability - Windows

VMware Spring Boot is prone to a server-side request forgery SSRF in the used Spring Framework. SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only...

VMware Spring Security Security Vulnerability

VMware Spring Security is a suite of security frameworks from VMware that provide illustrative security for Spring-based applications. A security vulnerability exists in VMware Spring Security versions 6.2.0 through 6.2.2, 6.1.0 through 6.1.7, 6.0.0 through 6.0.9, 5.8.0 through 5.8.10, and 5.7.0...

VMware Spring Boot < 2.7.20.1, 3.0.x < 3.0.15.1, 3.1.x < 3.1.10, 3.2.x < 3.2.4 SSRF Vulnerability - Linux

VMware Spring Boot is prone to a server-side request forgery SSRF in the used Spring Framework. SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only...

The vulnerability of the UriComponentsBuilder component in the Spring Framework’s URL analysis mechanism allows attackers to perform SSRF attacks.

The vulnerability of the UriComponentsBuilder component in the Spring Framework’s URL analysis module exists due to insufficient validation of data entered by users. Exploiting this vulnerability could allow a malicious actor to perform an SSRF attack remotely...

CVE-2024-22259

A vulnerability was found in Spring Framework. Affected versions of this package are vulnerable to an Open Redirect when using UriComponentsBuilder to parse an externally provided URL and perform validation checks on the host of the parsed URL...

Spring Framework URL Parsing with Host Validation Vulnerability

Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL e.g. through a query parameter AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF...