15 matches found
ROOT-APP-MAVEN-CVE-2025-22228 CVE-2025-22228 in io.root.org.springframework.security:spring-security-crypto - Patched by Root
Root has patched CVE-2025-22228 in the io.root.org.springframework.security:spring-security-crypto package for Root:Maven. Multiple fixed versions available...
Security Bulletin: Vulnerability with spring-security-crypto and jinja affect IBM Cloud Object Storage Systems (July 2025)
Summary Vulnerability with spring-security-crypto CVE-2025-22228 and jinja CVE-2025-27516 . This vulnerability has been addressed in the latest ClevOS release. Vulnerability Details CVEID:CVE-2025-22228 DESCRIPTION: BCryptPasswordEncoder.matchesCharSequence,String will incorrectly return true for...
Timing Attack
Overview org.springframework.security:spring-security-crypto is a spring-security-crypto library for Spring Security. Affected versions of this package are vulnerable to Timing Attack due to an unintentional bypass for DaoAuthenticationProvider constant time controls, which was caused by the fix...
be.personify.iam:personify-frontend (>=1.5.4.RELEASE <=1.5.7.RELEASE), ch.admin.bit.jeap:jeap-archrepo-instance (>=1.12.0 <=1.14.0) +1654 more potentially affected by CVE-2025-22228 +1 more via org.springframework.security:spring-security-crypto (=6.4.4)
org.springframework.security:spring-security-crypto MAVEN version =6.4.4 is affected by a known vulnerability. The following packages have a transitive dependency on org.springframework.security:spring-security-crypto and may be impacted: - be.personify.iam:personify-frontend =1.5.4.RELEASE,...
app.valuationcontrol:library (>=0.5.8 <=0.5.9), at.aimon.ops:aimon-ops-api (>=0.0.1 <=0.0.2) +2784 more potentially affected by CVE-2025-22228 via org.springframework.security:spring-security-crypto (>=6.4.0 <=6.4.3)
org.springframework.security:spring-security-crypto MAVEN version =6.4.0, =0.5.8, =0.0.1, =0.0.1, =55.v51410e712e0c, =1.0.1, =1.0.2, =1.0.4, =1.0.2, =1.0.16, =1.0.2, =1.0.4, =2.3.0, =1.10.0, =1.10.0, =1.11.0 and more Source cves: CVE-2025-22228 Source advisory: OSV:GHSA-MG83-C7GQ-RV5C...
africa.absa:inception-api (>=1.0.0 <=1.2.0), africa.absa:inception-codes-api (>=1.0.0 <=1.2.0) +9767 more potentially affected by CVE-2025-22228 via org.springframework.security:spring-security-crypto (>=3.1.0.RELEASE <=5.7.14)
org.springframework.security:spring-security-crypto MAVEN version =3.1.0.RELEASE, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =4.4.0.2, =0.5.0, =0.5.24 and more Source cves: CVE-2025-22228 Source advisory: OSV:GHSA-MG83-C7GQ-RV5C...
cc.chensoul.nacos:nacos-distribution (=2.5.2), cn.sparrowmini:sparrow-org-service (=0.0.1) +618 more potentially affected by CVE-2025-22228 via org.springframework.security:spring-security-crypto (>=5.8.0 <=5.8.16)
org.springframework.security:spring-security-crypto MAVEN version =5.8.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.1 and more Source cves: CVE-2025-22228 Source advisory: OSV:GHSA-MG83-C7GQ-RV5Chttp...
be.jidoka:jdk-keycloak-admin (=2.0.0), br.com.devires.framework.boot:devires-framework-boot-audit (=1.1.0) +1079 more potentially affected by CVE-2025-22228 via org.springframework.security:spring-security-crypto (>=6.0.0 <=6.0.1)
org.springframework.security:spring-security-crypto MAVEN version =6.0.0, =1.1.0, =1.1.0, =0.12.0, =0.12.0, =0.12.0, =0.13.0, =3.0.1.0, =3.0.1.0, =3.0.1.0, =3.0.1.0, =3.0.1.0, =3.0.1.0, =3.0.1.0, =3.0.2.3 and more Source cves: CVE-2025-22228 Source advisory:...
be.mogo.iam:mogo-provisioning (=1.0.1.RELEASE), be.personify.iam:personify-frontend (>=1.5.1.RELEASE <=1.5.2.RELEASE) +947 more potentially affected by CVE-2025-22228 via org.springframework.security:spring-security-crypto (>=6.1.0 <=6.1.1)
org.springframework.security:spring-security-crypto MAVEN version =6.1.0, =1.5.1.RELEASE, =2.1.0.RELEASE, =1.1.4.2, =3.0.6.4, =3.0.6.4, =3.0.6.4, =3.0.6.4, =3.0.6.4, =3.0.6.4, =3.1.0.5, =3.0.6.4, =3.0.6.4, =3.0.6.4, =3.1.1.3 and more Source cves: CVE-2025-22228 Source advisory:...
app.boboc:spring-cloud-github (=0.0.1), app.valuationcontrol:library (>=0.5.2 <=0.5.5) +1773 more potentially affected by CVE-2025-22228 via org.springframework.security:spring-security-crypto (>=6.2.0 <=6.2.1)
org.springframework.security:spring-security-crypto MAVEN version =6.2.0, =0.5.2, =0.5.0, =7.0.0, =1.0.2, =1.0.18, =1.0.2, =1.0.2, =v1.0.26, =1.0.0, =1.0, =1.1 and more Source cves: CVE-2025-22228 Source advisory: OSV:GHSA-MG83-C7GQ-RV5C...
ai.driftkit:driftkit-chat-assistant-framework (>=0.5.0 <=0.8.7), ai.driftkit:driftkit-clients-spring-ai-starter (>=0.6.0 <=0.8.7) +3194 more potentially affected by CVE-2025-22228 via org.springframework.security:spring-security-crypto (>=6.3.0 <=6.3.7)
org.springframework.security:spring-security-crypto MAVEN version =6.3.0, =0.5.0, =0.6.0, =0.5.0, =0.8.4, =0.8.4, =0.8.4, =0.8.4, =0.8.4, =0.8.4, =0.8.4, =0.8.4, =0.8.4, =0.8.4, =0.8.4, =cloud-0.1, =cloud-0.3 and more Source cves: CVE-2025-22228 Source advisory: OSV:GHSA-MG83-C7GQ-RV5C...
app.valuationcontrol:library (>=0.5.8 <=0.5.9), at.aimon.ops:aimon-ops-api (>=0.0.1 <=0.0.2) +2784 more potentially affected by CVE-2025-22228 via org.springframework.security:spring-security-crypto (>=6.4.0 <=6.4.3)
org.springframework.security:spring-security-crypto MAVEN version =6.4.0, =0.5.8, =0.0.1, =0.0.1, =55.v51410e712e0c, =1.0.1, =1.0.2, =1.0.4, =1.0.2, =1.0.16, =1.0.2, =1.0.4, =2.3.0, =1.10.0, =1.10.0, =1.11.0 and more Source cves: CVE-2025-22228 Source advisory:...
Authentication Bypass by Primary Weakness
Overview org.springframework.security:spring-security-crypto is a spring-security-crypto library for Spring Security. Affected versions of this package are vulnerable to Authentication Bypass by Primary Weakness in the BCryptPasswordEncoder.matches function, which only takes the first 72 characte...
ai.ancf.lmos-router:lmos-router-llm-in-spring-cloud-gateway-demo (>=0.2.0 <=0.28.0), ai.ancf.lmos:lmos-router-llm-in-spring-cloud-gateway-demo (=0.1.0) +5606 more potentially affected by CVE-2025-22228 via org.springframework.security:spring-security-crypto (>=6.0.0 <=6.3.7)
org.springframework.security:spring-security-crypto MAVEN version =6.0.0, =0.2.0, =0.5.0, =0.6.0, =0.5.0, =0.8.4, =0.8.4, =0.8.4, =0.8.4, =0.8.4, =0.8.4, =0.8.4, =0.8.4, =0.8.4, =0.8.4, =0.8.7 and more Source cves: CVE-2025-22228 Source advisory:...
Integer Overflow
org.springframework.security:spring-security-crypto is vulnerable to integer overflows. The encoder does not perform any salt rounds when the BCrypt class is used with the maximum work factor31, allowing a local authenticated attacker to cause an integer overflow error resulting in the attacker...