Spring Security Security Vulnerabilities and Issues — Spring Security CVE List

Lucene search

VmwareSpring Security

8 matches found

CVE•added 2021/06/29 5:15 p.m.•134 views

CVE-2021-22119

Spring Security versions 5.5.x prior to 5.5.1, 5.4.x prior to 5.4.7, 5.3.x prior to 5.3.10 and 5.2.x prior to 5.2.11 are susceptible to a Denial-of-Service (DoS) attack via the initiation of the Authorization Request in an OAuth 2.0 Client Web and WebFlux application. A malicious user or attacker c...

7.5CVSS7.4AI score0.05606EPSS

CVE•added 2017/05/25 5:29 p.m.•124 views

CVE-2016-5007

Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimm...

7.5CVSS7.4AI score0.00291EPSS

CVE•added 2019/06/26 2:15 p.m.•107 views

CVE-2019-11272

Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (o...

7.5CVSS7.2AI score0.00407EPSS

CVE•added 2024/02/20 7:15 a.m.•107 views

CVE-2024-22234

In Spring Security, versions 6.1.x prior to 6.1.7 and versions 6.2.x prior to 6.2.2, an application is vulnerable to broken access control when it directly uses the AuthenticationTrustResolver.isFullyAuthenticated(Authentication) method. Specifically, an application is vulnerable if: The applicatio...

7.4CVSS7.4AI score0.01635EPSS

CVE•added 2017/01/06 10:59 p.m.•83 views

CVE-2016-9879

An issue was discovered in Pivotal Spring Security before 3.2.10, 4.1.x before 4.1.4, and 4.2.x before 4.2.1. Spring Security does not consider URL path parameters when processing security constraints. By adding a URL path parameter with an encoded "/" to a request, an attacker may be able to bypas...

7.5CVSS7.3AI score0.00322EPSS

CVE•added 2017/05/25 5:29 p.m.•75 views

CVE-2014-0097

The ActiveDirectoryLdapAuthenticator in Spring Security 3.2.0 to 3.2.1 and 3.1.0 to 3.1.5 does not check the password length. If the directory allows anonymous binds then it may incorrectly authenticate a user who supplies an empty password.

7.5CVSS7AI score0.00316EPSS

CVE•added 2023/07/18 4:15 p.m.•74 views

CVE-2023-34035

Spring Security versions 5.8 prior to 5.8.5, 6.0 prior to 6.0.5, and 6.1 prior to 6.1.2 could be susceptible to authorization rule misconfiguration if the application uses requestMatchers(String) and multiple servlets, one of them being Spring MVC’s DispatcherServlet. (DispatcherServlet is a Spring...

7.3CVSS5.4AI score0.01541EPSS

CVE•added 2024/08/20 4:15 a.m.•54 views

CVE-2024-38810

Missing Authorization When Using @AuthorizeReturnObject in Spring Security 6.3.0 and 6.3.1 allows attacker to render security annotations inaffective.

7.5CVSS6.5AI score0.00286EPSS