EUVD-2025-6744

Malicious code in bioql PyPI...

Atlassian Jira Service Management Data Center and Server 5.12.x < 5.12.24 / 10.3.x < 10.3.7 / 10.4.x < 10.7.1 (JSDSERVER-16310)

The version of Atlassian Jira Service Management Data Center and Server Jira Service Desk running on the remote host is affected by a vulnerability as referenced in the JSDSERVER-16310 advisory. - BCryptPasswordEncoder.matchesCharSequence,String will incorrectly return true for passwords larger...

spring-security-core: Spring Security BCryptPasswordEncoder does not enforce maximum password length

A flaw was found in the spring-security-core password encoder. This vulnerability allows incorrect password matching via input manipulation...

Security Bulletin: Vulnerabilities in old Spring Framework versions affect watsonx.data

Summary In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of...

PT-2025-17727

Name of the Vulnerable Software and Affected Versions Spring Security affected versions not specified Description The issue introduces a username enumeration vector. It affects the BCryptPasswordEncoder's maximum password length, which breaks timing attack mitigation. Recommendations At the momen...

Security Bulletin: IBM Maximo Application Suite Ai-Broker Component vulnerable to BCryptPasswordEncoder will incorrectly return true for passwords larger than 72 characters.

Summary Security Bulletin: IBM Maximo Application Suite Ai-Broker Component vulnerable to BCryptPasswordEncoder will incorrectly return true for passwords larger than 72 characters. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details...

Spring Security 5.7 < 5.7.16 / 5.8 < 5.8.18 / 6.0 < 6.0.16 / 6.1 < 6.1.14 / 6.2 < 6.2.10 / 6.3 < 6.3.8 / 6.4 < 6.4.4 Authentication Bypass (CVE-2025-22228)

The remote host contains a Spring Security version that is 5.7 prior to 5.7.16, 5.8 prior to 5.8.18, 6.0 prior to 6.0.16, 6.1 prior to 6.1.14, 6.2 prior to 6.2.10, or 6.3 prior to 6.3.8, 6.4 prior to 6.4.4. It may, therefore, be affected by an authentication bypass vulnerability...

Spring Security Does Not Enforce Password Length

BCryptPasswordEncoder.matchesCharSequence,String will incorrectly return true for passwords larger than 72 characters as long as the first 72 characters are the same...

CVE-2025-22228

BCryptPasswordEncoder.matchesCharSequence,String will incorrectly return true for passwords larger than 72 characters as long as the first 72 characters are the same...

CVE-2025-22228 CVE-2025-22228: Spring Security BCryptPasswordEncoder does not enforce maximum password length

BCryptPasswordEncoder.matchesCharSequence,String will incorrectly return true for passwords larger than 72 characters as long as the first 72 characters are the same...

CVE-2025-22228 CVE-2025-22228: Spring Security BCryptPasswordEncoder does not enforce maximum password length

BCryptPasswordEncoder.matchesCharSequence,String will incorrectly return true for passwords larger than 72 characters as long as the first 72 characters are the same...

CVE-2025-22228

CVE-2025-22228 is reported in IBM Netcool Operations Insight. The issue arises from BCryptPasswordEncoder.matches(CharSequence,String) returning true for passwords longer than 72 characters if the first 72 characters are identical, enabling an authentication bypass under certain inputs. Affected ...

PT-2025-12012

Name of the Vulnerable Software and Affected Versions BCryptPasswordEncoder affected versions not specified Description The issue concerns the BCryptPasswordEncoder, where the matchesCharSequence, String function will incorrectly return true for passwords larger than 72 characters, as long as the...

Information Disclosure

spring-security-core is vulnerable to Information Disclosure. The vulnerability exists as it uses a fixed null initialization vector with CBC Mode for the queryable text encryptor rather than handling the null value passed to the function BCryptPasswordEncoder.encode, thereby allowing a user with...