23 matches found
Authorization Bypass
spring-security-config is vulnerable to Authorization Bypass. The vulnerability is due to incorrect handling of the servlet-path attribute in , where the servlet path is not included when computing the path matcher, causing defined authorization rules to be skipped and allowing unauthorized acces...
be.appify.prefab:prefab-security (>=0.2.0 <=0.7.5), ch.admin.bit.jeap:jeap-audit-command-builder (>=7.0.0-alpha-springboot4 <=7.1.0-alpha-springboot4) +822 more potentially affected by CVE-2026-22753 via org.springframework.security:spring-security-config (>=7.0.0-M1 <=7.0.4)
org.springframework.security:spring-security-config MAVEN version =7.0.0-M1, =0.2.0, =7.0.0-alpha-springboot4, =2.0.0-alpha-springboot4, =5.0.0-alpha-springboot4, =9.0.0-alpha-springboot4, =22.0.0-alpha-springboot4, =22.0.0-alpha-springboot4, =22.0.0-alpha-springboot4, =22.0.0-alpha-springboot4,...
be.appify.prefab:prefab-security (>=0.2.0 <=0.7.5), ch.admin.bit.jeap:jeap-audit-command-builder (>=7.0.0-alpha-springboot4 <=7.1.0-alpha-springboot4) +822 more potentially affected by CVE-2026-22754 via org.springframework.security:spring-security-config (>=7.0.0-M1 <=7.0.4)
org.springframework.security:spring-security-config MAVEN version =7.0.0-M1, =0.2.0, =7.0.0-alpha-springboot4, =2.0.0-alpha-springboot4, =5.0.0-alpha-springboot4, =9.0.0-alpha-springboot4, =22.0.0-alpha-springboot4, =22.0.0-alpha-springboot4, =22.0.0-alpha-springboot4, =22.0.0-alpha-springboot4,...
Access Control Bypass
Overview org.springframework.security:spring-security-config is a security configuration package for Spring Framework. Affected versions of this package are vulnerable to Access Control Bypass in the XML authorization rules processing when the servlet-path attribute is used. An attacker can gain...
be.appify.prefab:prefab-security (>=0.2.0 <=0.7.5), ch.admin.bit.jeap:jeap-audit-command-builder (>=7.0.0-alpha-springboot4 <=7.1.0-alpha-springboot4) +818 more potentially affected by CVE-2026-22754 via org.springframework.security:spring-security-config (>=7.0.0 <=7.0.4)
org.springframework.security:spring-security-config MAVEN version =7.0.0, =0.2.0, =7.0.0-alpha-springboot4, =2.0.0-alpha-springboot4, =5.0.0-alpha-springboot4, =9.0.0-alpha-springboot4, =22.0.0-alpha-springboot4, =22.0.0-alpha-springboot4, =22.0.0-alpha-springboot4, =22.0.0-alpha-springboot4,...
be.appify.prefab:prefab-security (>=0.2.0 <=0.7.5), ch.admin.bit.jeap:jeap-audit-command-builder (>=7.0.0-alpha-springboot4 <=7.1.0-alpha-springboot4) +818 more potentially affected by CVE-2026-22753 via org.springframework.security:spring-security-config (>=7.0.0 <=7.0.4)
org.springframework.security:spring-security-config MAVEN version =7.0.0, =0.2.0, =7.0.0-alpha-springboot4, =2.0.0-alpha-springboot4, =5.0.0-alpha-springboot4, =9.0.0-alpha-springboot4, =22.0.0-alpha-springboot4, =22.0.0-alpha-springboot4, =22.0.0-alpha-springboot4, =22.0.0-alpha-springboot4,...
Security Bulletin: IBM Spectrum Symphony with spring-security-config is vulnerable to Incorrect Permission Assignment for Critical Resource
Summary IBM Spectrum Symphony with spring-security-config is vulnerable to Incorrect Permission Assignment for Critical Resource Vulnerability Details CVEID:CVE-2023-34042 DESCRIPTION: VMware Tanzu Spring Security could allow a local authenticated attacker to bypass security restrictions, caused ...
Security Bulletin: IBM Spectrum Conductor with spring-security-config is vulnerable to Incorrect Permission Assignment for Critical Resource
Summary IBM Spectrum Conductor with spring-security-config is vulnerable to Incorrect Permission Assignment for Critical Resource Vulnerability Details CVEID:CVE-2023-34042 DESCRIPTION: VMware Tanzu Spring Security could allow a local authenticated attacker to bypass security restrictions, caused...
cn.herodotus.engine:oauth2-sdk-authentication (>=3.1.1.0 <=3.1.4.3), cn.herodotus.engine:oauth2-sdk-authorization (>=3.1.1.0 <=3.1.4.3) +321 more potentially affected by CVE-2023-34042 via org.springframework.security:spring-security-config (>=6.1.1 <=6.1.3)
org.springframework.security:spring-security-config MAVEN version =6.1.1, =3.1.1.0, =3.1.1.0, =3.1.1.0, =3.1.1.0, =5.5.0, =5.5.0, =0.0.9, =0.0.12, =0.0.30, =0.0.42, =6.1.16, =6.1.16, =7.0.0, =7.1.8 and more Source cves: CVE-2023-34042 Source advisory: OSV:GHSA-9GP8-6CG8-7H34...
com.epam.reportportal:service-authorization (>=5.11.0 <=5.11.1), com.erudika:para-jar (=1.49.0) +51 more potentially affected by CVE-2023-34042 via org.springframework.security:spring-security-config (>=5.8.4 <=5.8.6)
org.springframework.security:spring-security-config MAVEN version =5.8.4, =5.11.0, =1.73.40, =1.73.40, =1.73.40, =1.73.40, =2.35.0, =2.14.0, =2.14.0, =11.3.6, =11.3.6, =11.3.6, =11.3.6, =11.4.2 and more Source cves: CVE-2023-34042 Source advisory: OSV:GHSA-9GP8-6CG8-7H34...
com.almis.awe:awe-annotation (>=4.7.1 <=4.7.7), com.almis.awe:awe-annotations-spring-boot-starter (>=4.7.1 <=4.7.7) +28 more potentially affected by CVE-2023-34042 via org.springframework.security:spring-security-config (>=6.0.4 <=6.0.6)
org.springframework.security:spring-security-config MAVEN version =6.0.4, =4.7.1, =4.7.1, =4.7.1, =4.7.1, =4.7.1, =4.7.1, =4.7.1, =4.7.1, =4.7.1, =4.7.1, =4.7.1, =4.7.1, =4.7.1, =4.7.1, =4.7.7 - com.giffing.wicket.spring.boot.starter:wicket-spring-boot-starter =4.0.0-M1 and more Source cves:...
Design/Logic Flaw
The spring-security.xsd file inside the spring-security-config jar is world writable which means that if it were extracted it could be written by anyone with access to the file system. While there are no known exploits, this is an example of “CWE-732: Incorrect Permission Assignment for Critical...
CVE-2023-34042
The spring-security.xsd file inside the spring-security-config jar is world writable which means that if it were extracted it could be written by anyone with access to the file system. While there are no known exploits, this is an example of “CWE-732: Incorrect Permission Assignment for Critical...
Improper Access Control
org.springframework.security:spring-security-config is vulnerable to Improper Access Control. The vulnerability exists due to lack of checks in multiple files, which allows an attacker to use as a pattern in the configurations for WebFlux, creating a mismatch in pattern matching, resulting in a...
Authorization Rule Misconfiguration
spring-security-config is vulnerable to Authorization Rule Misconfiguration. The vulnerability exists due to the lack of validation in the RequestMatcher of AbstractRequestMatcherRegistry.java when the application uses the requestMatchersString function with multiple servlets, one of them being...
cc.chensoul.nacos:nacos-distribution (=2.5.2), com.buession.security:buession-security-spring (>=3.0.0 <=3.0.1) +262 more potentially affected by CVE-2023-34034 via org.springframework.security:spring-security-config (>=5.8.0 <=5.8.4)
org.springframework.security:spring-security-config MAVEN version =5.8.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =5.12.0, =5.12.0, =1.48.0, =1.48.0, =1.48.0, =4.5.0, =4.5.0, =4.5.0, =6.5.0, =4.5.0, =4.5.1 and more Source cves: CVE-2023-34034 Source advisory: OSV:GHSA-3H6F-G5F3-GC4W...
cn.guomw.cloud:framework-cloud-starter-auth (=1.1.0.RELEASE), cn.herodotus.engine:oauth2-sdk-authorization (>=2.7.0.0 <=2.7.0.60) +259 more potentially affected by CVE-2023-34034 via org.springframework.security:spring-security-config (>=5.7.0 <=5.7.1)
org.springframework.security:spring-security-config MAVEN version =5.7.0, =2.7.0.0, =2.7.0.0, =2.7.0.0, =4.2.0, =4.2.0, =4.2.0, =4.2.0, =4.2.0, =4.2.0, =4.4.7 and more Source cves: CVE-2023-34034 Source advisory: OSV:GHSA-3H6F-G5F3-...
ai.aitia:arrowhead-application-library-java-spring (>=4.4.0.2 <=4.6.0.0), ai.ylyue:yue-library-auth-client (=j11.2.6.0) +828 more potentially affected by CVE-2023-34034 via org.springframework.security:spring-security-config (>=5.6.0 <=5.6.10)
org.springframework.security:spring-security-config MAVEN version =5.6.0, =4.4.0.2, =0.2.0, =2.1.0.M8, =2.7.0.Beta1, =2.7.0.Beta1, =2.7.0.Beta1, =2.7.0.Beta1, =0.0.1, =0.0.6 - com.atlassian.connect:atlassian-connect-spring-boot-api =2.2.7 - com.atlassian.connect:atlassian-connect-spring-boot-core...
br.com.nitertech:jwt (>=1.1.4.2 <=1.1.5), cn.herodotus.engine:oauth2-sdk-authentication (>=3.0.6.4 <=3.1.1.3) +314 more potentially affected by CVE-2023-34034 via org.springframework.security:spring-security-config (>=6.1.0 <=6.1.1)
org.springframework.security:spring-security-config MAVEN version =6.1.0, =1.1.4.2, =3.0.6.4, =3.0.6.4, =3.0.6.4, =3.0.6.4, =4.0.1, =4.0.1, =0.1.0, =6.1.11, =6.1.11, =7.0.0, =7.0.0, =6.1.11, =6.1.11, =6.2.0 and more Source cves: CVE-2023-34034 Source advisory: OSV:GHSA-3H6F-G5F3-GC4W...
cc.chensoul.nacos:nacos-distribution (=2.5.2), com.buession.security:buession-security-spring (>=3.0.0 <=3.0.1) +262 more potentially affected by CVE-2023-34035 via org.springframework.security:spring-security-config (>=5.8.0 <=5.8.4)
org.springframework.security:spring-security-config MAVEN version =5.8.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =5.12.0, =5.12.0, =1.48.0, =1.48.0, =1.48.0, =4.5.0, =4.5.0, =4.5.0, =6.5.0, =4.5.0, =4.5.1 and more Source cves: CVE-2023-34035 Source advisory: OSV:GHSA-4VPR-XFRP-CJ64...