4 matches found
Spring Security has a broken timing attack mitigation implemented in DaoAuthenticationProvide
The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider. This can allow attackers to infer valid usernames or other authentication behavior via response-time differences under certain configurations...
com.almis.awe:awe-annotation (>=4.10.11 <=4.11.2), com.almis.awe:awe-annotations-spring-boot-starter (>=4.10.11 <=4.11.2) +152 more potentially affected by CVE-2025-22228 +1 more via org.springframework.security:spring-security-crypto (=6.3.8)
org.springframework.security:spring-security-crypto MAVEN version =6.3.8 is affected by a known vulnerability. The following packages have a transitive dependency on org.springframework.security:spring-security-crypto and may be impacted: - com.almis.awe:awe-annotation =4.10.11, =4.10.11, =4.10.1...
app.valuationcontrol:library (>=0.5.8 <=0.5.9), at.aimon.ops:aimon-ops-api (>=0.0.1 <=0.0.2) +2791 more potentially affected by CVE-2025-22228 via org.springframework.security:spring-security-crypto (>=6.4.0 <=6.4.3)
org.springframework.security:spring-security-crypto MAVEN version =6.4.0, =0.5.8, =0.0.1, =0.0.1, =55.v51410e712e0c, =1.0.1, =1.0.2, =1.0.4, =1.0.2, =1.0.16, =1.0.2, =1.0.4, =2.3.0, =1.10.0, =1.10.0, =1.11.0 and more Source cves: CVE-2025-22228 Source advisory: OSV:GHSA-MG83-C7GQ-RV5C...
be.jidoka:jdk-keycloak-admin (=2.0.0), br.com.devires.framework.boot:devires-framework-boot-audit (=1.1.0) +1079 more potentially affected by CVE-2025-22228 via org.springframework.security:spring-security-crypto (>=6.0.0 <=6.0.1)
org.springframework.security:spring-security-crypto MAVEN version =6.0.0, =1.1.0, =1.1.0, =0.12.0, =0.12.0, =0.12.0, =0.13.0, =3.0.1.0, =3.0.1.0, =3.0.1.0, =3.0.1.0, =3.0.1.0, =3.0.1.0, =3.0.1.0, =3.0.2.3 and more Source cves: CVE-2025-22228 Source advisory:...