Spring Security Pivotal Software Spring Security

Do you want an email whenever new security vulnerabilities are reported in Pivotal Software Spring Security?

By the Year

In 2022 there have been 0 vulnerabilities in Pivotal Software Spring Security . Last year Spring Security had 1 security vulnerability published. Right now, Spring Security is on track to have less security vulnerabilities in 2022 than it did last year.

Year Vulnerabilities Average Score
2022 0 0.00
2021 1 8.80
2020 2 7.65
2019 2 6.30
2018 2 7.05

It may take a day or so for new Spring Security vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Pivotal Software Spring Security Security Vulnerabilities

Spring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE, and older unsupported versions

CVE-2021-22112 8.8 - High - February 23, 2021

Spring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE, and older unsupported versions can fail to save the SecurityContext if it is changed more than once in a single request.A malicious user cannot cause the bug to happen (it must be programmed in). However, if the application's intent is to only allow the user to run with elevated privileges in a small portion of the application, the bug can be leveraged to extend those privileges to the rest of the application.

Spring Security versions 5.3.x prior to 5.3.2

CVE-2020-5408 6.5 - Medium - May 14, 2020

Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has been encrypted using such an encryptor may be able to derive the unencrypted values using a dictionary attack.

Use of Insufficiently Random Values

Spring Security versions 5.2.x prior to 5.2.4 and 5.3.x prior to 5.3.2 contain a signature wrapping vulnerability during SAML response validation

CVE-2020-5407 8.8 - High - May 13, 2020

Spring Security versions 5.2.x prior to 5.2.4 and 5.3.x prior to 5.3.2 contain a signature wrapping vulnerability during SAML response validation. When using the spring-security-saml2-service-provider component, a malicious user can carefully modify an otherwise valid SAML response and append an arbitrary assertion that Spring Security will accept as valid.

Improper Verification of Cryptographic Signature

Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder

CVE-2019-11272 7.3 - High - June 26, 2019

Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of "null".

Insufficiently Protected Credentials

Spring Security versions 4.2.x prior to 4.2.12

CVE-2019-3795 5.3 - Medium - April 09, 2019

Spring Security versions 4.2.x prior to 4.2.12, 5.0.x prior to 5.0.12, and 5.1.x prior to 5.1.5 contain an insecure randomness vulnerability when using SecureRandomFactoryBean#setSeed to configure a SecureRandom instance. In order to be impacted, an honest application must provide a seed and make the resulting random material available to an attacker for inspection.

Use of Insufficiently Random Values

Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization bypass when using method security

CVE-2018-1258 8.8 - High - May 11, 2018

Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted.

AuthZ

Spring Security (Spring Security 4.1.x before 4.1.5

CVE-2018-1199 5.3 - Medium - March 16, 2018

Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3) does not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. In this particular attack, different character encodings used in path parameters allows secured Spring MVC static resource URLs to be bypassed.

Improper Input Validation

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for VMware Spring Security or by Pivotal Software? Click the Watch button to subscribe.

subscribe