Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/security/spring-security-web/4.2.12.RELEASE/spring-security-web-4.2.12.RELEASE.jar
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/security/spring-security-web/4.2.12.RELEASE/spring-security-web-4.2.12.RELEASE.jar
### Reachability Analysis
This vulnerability is potentially reachable
```
org.joychou.security.WebSecurityConfig (Application)
-> ❌ org.springframework.security.web.util.matcher.RegexRequestMatcher (Vulnerable Component)
```
### Vulnerability Details
In spring security versions prior to 5.4.11+, 5.5.7+ , 5.6.4+ and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/security/spring-security-web/4.2.12.RELEASE/spring-security-web-4.2.12.RELEASE.jar
Spring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE, and older unsupported versions can fail to save the SecurityContext if it is changed more than once in a single request.A malicious user cannot cause the bug to happen (it must be programmed in). However, if the application's intent is to only allow the user to run with elevated privileges in a small portion of the application, the bug can be leveraged to extend those privileges to the rest of the application.
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/security/spring-security-core/4.2.1.RELEASE/spring-security-core-4.2.1.RELEASE.jar
In Spring Security, versions 5.7.x prior to 5.7.12, 5.8.x prior to
5.8.11, versions 6.0.x prior to 6.0.9, versions 6.1.x prior to 6.1.8,
versions 6.2.x prior to 6.2.3, an application is possible vulnerable to
broken access control when it directly uses the AuthenticatedVoter#vote passing a null Authentication parameter.
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/security/spring-security-core/4.2.1.RELEASE/spring-security-core-4.2.1.RELEASE.jar
Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of "null".
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/security/spring-security-core/4.2.1.RELEASE/spring-security-core-4.2.1.RELEASE.jar
Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has been encrypted using such an encryptor may be able to derive the unencrypted values using a dictionary attack.
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/security/spring-security-web/4.2.12.RELEASE/spring-security-web-4.2.12.RELEASE.jar
Cross-Site Request Forgery (CSRF) vulnerability was found in spring-security before 4.2.15, 5.0.15, 5.1.9, 5.2.3, and 5.3.1. SwitchUserFilter responds to all HTTP methods, making it vulnerable to CSRF attacks.
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/security/spring-security-web/4.2.12.RELEASE/spring-security-web-4.2.12.RELEASE.jar
Spring Security before 5.2.9, 5.3.7, and 5.4.3 vulnerable to side-channel attacks. Vulnerable versions of Spring Security don't use constant time comparisons for CSRF tokens.
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/security/spring-security-web/4.2.12.RELEASE/spring-security-web-4.2.12.RELEASE.jar
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/security/spring-security-core/4.2.1.RELEASE/spring-security-core-4.2.1.RELEASE.jar
An issue was discovered in Pivotal Spring Security 4.2.0.RELEASE through 4.2.2.RELEASE, and Spring Security 5.0.0.M1. When configured to enable default typing, Jackson contained a deserialization vulnerability that could lead to arbitrary code execution. Jackson fixed this vulnerability by blacklisting known "deserialization gadgets." Spring Security configures Jackson with global default typing enabled, which means that (through the previous exploit) arbitrary code could be executed if all of the following is true: (1) Spring Security's Jackson support is being leveraged by invoking SecurityJackson2Modules.getModules(ClassLoader) or SecurityJackson2Modules.enableDefaultTyping(ObjectMapper); (2) Jackson is used to deserialize data that is not trusted (Spring Security does not perform deserialization using Jackson, so this is an explicit choice of the user); and (3) there is an unknown (Jackson is not blacklisting it already) "deserialization gadget" that allows code execution present on the classpath. Jackson provides a blacklisting approach to protecting against this type of attack, but Spring Security should be proactive against blocking unknown "deserialization gadgets" when Spring Security enables default typing.
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/security/spring-security-core/4.2.1.RELEASE/spring-security-core-4.2.1.RELEASE.jar
Spring Security versions 4.2.x prior to 4.2.12, 5.0.x prior to 5.0.12, and 5.1.x prior to 5.1.5 contain an insecure randomness vulnerability when using SecureRandomFactoryBean#setSeed to configure a SecureRandom instance. In order to be impacted, an honest application must provide a seed and make the resulting random material available to an attacker for inspection.
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/security/spring-security-web/4.2.12.RELEASE/spring-security-web-4.2.12.RELEASE.jar
Spring WebFlux applications that have Spring Security authorization rules on static resources can be bypassed under certain circumstances.
For this to impact an application, all of the following must be true: It must be a WebFlux application, It must be using Spring's static resources support, and it must have a non-permitAll authorization rule applied to the static resources support.
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/security/spring-security-core/4.2.1.RELEASE/spring-security-core-4.2.1.RELEASE.jar
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/security/spring-security-web/4.2.12.RELEASE/spring-security-web-4.2.12.RELEASE.jar
The usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in authorization rules not working properly.
spring-security-web
Library home page: https://spring.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/security/spring-security-web/4.2.12.RELEASE/spring-security-web-4.2.12.RELEASE.jar
Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2022-22978
### Vulnerable Library - spring-security-web-4.2.12.RELEASE.jarspring-security-web
Library home page: https://spring.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/security/spring-security-web/4.2.12.RELEASE/spring-security-web-4.2.12.RELEASE.jar
Dependency Hierarchy: - :x: **spring-security-web-4.2.12.RELEASE.jar** (Vulnerable Library)
Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf
Found in base branch: master
### Reachability Analysis This vulnerability is potentially reachable ``` org.joychou.security.WebSecurityConfig (Application) -> ❌ org.springframework.security.web.util.matcher.RegexRequestMatcher (Vulnerable Component) ``` ### Vulnerability DetailsIn spring security versions prior to 5.4.11+, 5.5.7+ , 5.6.4+ and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.
Publish Date: 2022-05-19
URL: CVE-2022-22978
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.9%
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://spring.io/security/cve-2022-22978/
Release Date: 2022-05-19
Fix Resolution: 5.4.11
In order to enable automatic remediation, please create workflow rules
CVE-2021-22112
### Vulnerable Library - spring-security-web-4.2.12.RELEASE.jarspring-security-web
Library home page: https://spring.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/security/spring-security-web/4.2.12.RELEASE/spring-security-web-4.2.12.RELEASE.jar
Dependency Hierarchy: - :x: **spring-security-web-4.2.12.RELEASE.jar** (Vulnerable Library)
Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf
Found in base branch: master
### Reachability Analysis This vulnerability is potentially reachable ``` org.joychou.security.WebSecurityConfig (Application) -> org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter (Extension) -> org.springframework.security.config.annotation.web.configurers.SecurityContextConfigurer (Extension) -> org.springframework.security.web.context.HttpSessionSecurityContextRepository (Extension) -> ❌ org.springframework.security.web.context.HttpSessionSecurityContextRepository$SaveToSessionResponseWrapper (Vulnerable Component) ``` ### Vulnerability DetailsSpring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE, and older unsupported versions can fail to save the SecurityContext if it is changed more than once in a single request.A malicious user cannot cause the bug to happen (it must be programmed in). However, if the application's intent is to only allow the user to run with elevated privileges in a small portion of the application, the bug can be leveraged to extend those privileges to the rest of the application.
Publish Date: 2021-02-23
URL: CVE-2021-22112
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.3%
### CVSS 3 Score Details (8.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://tanzu.vmware.com/security/cve-2021-22112
Release Date: 2021-02-23
Fix Resolution: 5.2.9.RELEASE
In order to enable automatic remediation, please create workflow rules
CVE-2024-22257
### Vulnerable Library - spring-security-core-4.2.1.RELEASE.jarspring-security-core
Library home page: http://spring.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/security/spring-security-core/4.2.1.RELEASE/spring-security-core-4.2.1.RELEASE.jar
Dependency Hierarchy: - spring-security-web-4.2.12.RELEASE.jar (Root Library) - :x: **spring-security-core-4.2.1.RELEASE.jar** (Vulnerable Library)
Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf
Found in base branch: master
### Reachability Analysis This vulnerability is potentially reachable ``` org.joychou.security.WebSecurityConfig (Application) -> org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration$1 (Extension) -> org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration$1 (Extension) -> org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration (Extension) -> org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler (Extension) -> org.springframework.security.access.expression.method.MethodSecurityExpressionRoot (Extension) -> ❌ org.springframework.security.access.expression.SecurityExpressionRoot (Vulnerable Component) ``` ### Vulnerability DetailsIn Spring Security, versions 5.7.x prior to 5.7.12, 5.8.x prior to 5.8.11, versions 6.0.x prior to 6.0.9, versions 6.1.x prior to 6.1.8, versions 6.2.x prior to 6.2.3, an application is possible vulnerable to broken access control when it directly uses the AuthenticatedVoter#vote passing a null Authentication parameter.
Publish Date: 2024-03-18
URL: CVE-2024-22257
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.0%
### CVSS 3 Score Details (8.2)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://spring.io/security/cve-2024-22257
Release Date: 2024-03-18
Fix Resolution (org.springframework.security:spring-security-core): 5.7.12
Direct dependency fix Resolution (org.springframework.security:spring-security-web): 5.7.12
In order to enable automatic remediation, please create workflow rules
CVE-2019-11272
### Vulnerable Library - spring-security-core-4.2.1.RELEASE.jarspring-security-core
Library home page: http://spring.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/security/spring-security-core/4.2.1.RELEASE/spring-security-core-4.2.1.RELEASE.jar
Dependency Hierarchy: - spring-security-web-4.2.12.RELEASE.jar (Root Library) - :x: **spring-security-core-4.2.1.RELEASE.jar** (Vulnerable Library)
Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf
Found in base branch: master
### Reachability Analysis This vulnerability is potentially reachable ``` org.joychou.security.WebSecurityConfig (Application) -> org.springframework.security.config.annotation.web.builders.HttpSecurity (Extension) -> org.springframework.security.config.annotation.authentication.configurers.userdetails.DaoAuthenticationConfigurer (Extension) -> org.springframework.security.authentication.dao.DaoAuthenticationProvider (Extension) -> ❌ org.springframework.security.authentication.encoding.PlaintextPasswordEncoder (Vulnerable Component) ``` ### Vulnerability DetailsSpring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of "null".
Publish Date: 2019-06-26
URL: CVE-2019-11272
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.1%
### CVSS 3 Score Details (7.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11272
Release Date: 2019-06-26
Fix Resolution: org.springframework.security:spring-security-core:4.2.13.RELEASE
CVE-2020-5408
### Vulnerable Library - spring-security-core-4.2.1.RELEASE.jarspring-security-core
Library home page: http://spring.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/security/spring-security-core/4.2.1.RELEASE/spring-security-core-4.2.1.RELEASE.jar
Dependency Hierarchy: - spring-security-web-4.2.12.RELEASE.jar (Root Library) - :x: **spring-security-core-4.2.1.RELEASE.jar** (Vulnerable Library)
Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf
Found in base branch: master
### Reachability Analysis This vulnerability is potentially reachable ``` org.joychou.Application (Application) -> org.springframework.boot.SpringApplication (Extension) -> org.springframework.boot.BeanDefinitionLoader (Extension) -> org.springframework.beans.factory.groovy.GroovyBeanDefinitionReader (Extension) ... -> org.springframework.security.config.ldap.LdapProviderBeanDefinitionParser (Extension) -> org.springframework.security.config.authentication.PasswordEncoderParser (Extension) -> ❌ org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder (Vulnerable Component) ``` ### Vulnerability DetailsSpring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has been encrypted using such an encryptor may be able to derive the unencrypted values using a dictionary attack.
Publish Date: 2020-05-14
URL: CVE-2020-5408
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.1%
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5408
Release Date: 2020-05-14
Fix Resolution: org.springframework.security:spring-security-crypto:4.2.16,5.0.16,5.1.10,5.2.4,5.3.2,org.springframework.security:spring-security-core:4.2.16,5.0.16,5.1.10,5.2.4,5.3.2
WS-2017-3767
### Vulnerable Library - spring-security-web-4.2.12.RELEASE.jarspring-security-web
Library home page: https://spring.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/security/spring-security-web/4.2.12.RELEASE/spring-security-web-4.2.12.RELEASE.jar
Dependency Hierarchy: - :x: **spring-security-web-4.2.12.RELEASE.jar** (Vulnerable Library)
Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf
Found in base branch: master
### Reachability Analysis This vulnerability is potentially reachable ``` org.joychou.security.WebSecurityConfig (Application) -> org.springframework.security.config.annotation.web.builders.HttpSecurity (Extension) -> org.springframework.security.config.annotation.web.builders.FilterComparator (Extension) -> ❌ org.springframework.security.web.authentication.switchuser.SwitchUserFilter (Vulnerable Component) ``` ### Vulnerability DetailsCross-Site Request Forgery (CSRF) vulnerability was found in spring-security before 4.2.15, 5.0.15, 5.1.9, 5.2.3, and 5.3.1. SwitchUserFilter responds to all HTTP methods, making it vulnerable to CSRF attacks.
Publish Date: 2017-01-03
URL: WS-2017-3767
### Threat AssessmentExploit Maturity: Not Defined
EPSS:
### CVSS 3 Score Details (6.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2017-01-03
Fix Resolution: 4.2.15.RELEASE
In order to enable automatic remediation, please create workflow rules
WS-2020-0293
### Vulnerable Library - spring-security-web-4.2.12.RELEASE.jarspring-security-web
Library home page: https://spring.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/security/spring-security-web/4.2.12.RELEASE/spring-security-web-4.2.12.RELEASE.jar
Dependency Hierarchy: - :x: **spring-security-web-4.2.12.RELEASE.jar** (Vulnerable Library)
Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf
Found in base branch: master
### Reachability Analysis This vulnerability is potentially reachable ``` org.joychou.security.WebSecurityConfig (Application) -> org.springframework.security.web.csrf.CsrfFilter$DefaultRequiresCsrfMatcher (Extension) -> ❌ org.springframework.security.web.csrf.CsrfFilter (Vulnerable Component) ``` ### Vulnerability DetailsSpring Security before 5.2.9, 5.3.7, and 5.4.3 vulnerable to side-channel attacks. Vulnerable versions of Spring Security don't use constant time comparisons for CSRF tokens.
Publish Date: 2020-12-17
URL: WS-2020-0293
### Threat AssessmentExploit Maturity: Not Defined
EPSS:
### CVSS 3 Score Details (5.9)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2020-12-17
Fix Resolution: 5.2.9.RELEASE
In order to enable automatic remediation, please create workflow rules
WS-2016-7107
### Vulnerable Library - spring-security-web-4.2.12.RELEASE.jarspring-security-web
Library home page: https://spring.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/security/spring-security-web/4.2.12.RELEASE/spring-security-web-4.2.12.RELEASE.jar
Dependency Hierarchy: - :x: **spring-security-web-4.2.12.RELEASE.jar** (Vulnerable Library)
Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf
Found in base branch: master
### Reachability Analysis This vulnerability is potentially reachable ``` org.joychou.controller.Jsonp (Application) -> ❌ org.springframework.security.web.csrf.CookieCsrfTokenRepository (Vulnerable Component) ``` ### Vulnerability DetailsCSRF tokens in Spring Security are vulnerable to a breach attack. Spring Security always returns the same CSRF token to the browser.
Publish Date: 2016-08-02
URL: WS-2016-7107
### Threat AssessmentExploit Maturity: Not Defined
EPSS:
### CVSS 3 Score Details (5.9)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/WS-2016-7107
Release Date: 2016-08-02
Fix Resolution: 5.2.14.RELEASE
In order to enable automatic remediation, please create workflow rules
CVE-2017-4995
### Vulnerable Library - spring-security-core-4.2.1.RELEASE.jarspring-security-core
Library home page: http://spring.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/security/spring-security-core/4.2.1.RELEASE/spring-security-core-4.2.1.RELEASE.jar
Dependency Hierarchy: - spring-security-web-4.2.12.RELEASE.jar (Root Library) - :x: **spring-security-core-4.2.1.RELEASE.jar** (Vulnerable Library)
Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf
Found in base branch: master
### Reachability AnalysisThe vulnerable code is unreachable
### Vulnerability DetailsAn issue was discovered in Pivotal Spring Security 4.2.0.RELEASE through 4.2.2.RELEASE, and Spring Security 5.0.0.M1. When configured to enable default typing, Jackson contained a deserialization vulnerability that could lead to arbitrary code execution. Jackson fixed this vulnerability by blacklisting known "deserialization gadgets." Spring Security configures Jackson with global default typing enabled, which means that (through the previous exploit) arbitrary code could be executed if all of the following is true: (1) Spring Security's Jackson support is being leveraged by invoking SecurityJackson2Modules.getModules(ClassLoader) or SecurityJackson2Modules.enableDefaultTyping(ObjectMapper); (2) Jackson is used to deserialize data that is not trusted (Spring Security does not perform deserialization using Jackson, so this is an explicit choice of the user); and (3) there is an unknown (Jackson is not blacklisting it already) "deserialization gadget" that allows code execution present on the classpath. Jackson provides a blacklisting approach to protecting against this type of attack, but Spring Security should be proactive against blocking unknown "deserialization gadgets" when Spring Security enables default typing.
Publish Date: 2017-11-27
URL: CVE-2017-4995
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.5%
### CVSS 3 Score Details (8.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-4995
Release Date: 2017-11-27
Fix Resolution: org.springframework.security:spring-security-core:5.0.0.M5
CVE-2019-3795
### Vulnerable Library - spring-security-core-4.2.1.RELEASE.jarspring-security-core
Library home page: http://spring.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/security/spring-security-core/4.2.1.RELEASE/spring-security-core-4.2.1.RELEASE.jar
Dependency Hierarchy: - spring-security-web-4.2.12.RELEASE.jar (Root Library) - :x: **spring-security-core-4.2.1.RELEASE.jar** (Vulnerable Library)
Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf
Found in base branch: master
### Reachability AnalysisThe vulnerable code is unreachable
### Vulnerability DetailsSpring Security versions 4.2.x prior to 4.2.12, 5.0.x prior to 5.0.12, and 5.1.x prior to 5.1.5 contain an insecure randomness vulnerability when using SecureRandomFactoryBean#setSeed to configure a SecureRandom instance. In order to be impacted, an honest application must provide a seed and make the resulting random material available to an attacker for inspection.
Publish Date: 2019-04-09
URL: CVE-2019-3795
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.3%
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://pivotal.io/security/cve-2019-3795
Release Date: 2019-04-09
Fix Resolution: 4.2.12,5.0.12,5.1.5
CVE-2024-38821
### Vulnerable Library - spring-security-web-4.2.12.RELEASE.jarspring-security-web
Library home page: https://spring.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/security/spring-security-web/4.2.12.RELEASE/spring-security-web-4.2.12.RELEASE.jar
Dependency Hierarchy: - :x: **spring-security-web-4.2.12.RELEASE.jar** (Vulnerable Library)
Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf
Found in base branch: master
### Vulnerability DetailsSpring WebFlux applications that have Spring Security authorization rules on static resources can be bypassed under certain circumstances. For this to impact an application, all of the following must be true: It must be a WebFlux application, It must be using Spring's static resources support, and it must have a non-permitAll authorization rule applied to the static resources support.
Publish Date: 2024-10-28
URL: CVE-2024-38821
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.0%
### CVSS 3 Score Details (9.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://spring.io/security/cve-2024-38821
Release Date: 2024-10-28
Fix Resolution: 5.7.13
In order to enable automatic remediation, please create workflow rules
CVE-2024-38827
### Vulnerable Libraries - spring-security-core-4.2.1.RELEASE.jar, spring-security-web-4.2.12.RELEASE.jar### spring-security-core-4.2.1.RELEASE.jar
spring-security-core
Library home page: http://spring.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/security/spring-security-core/4.2.1.RELEASE/spring-security-core-4.2.1.RELEASE.jar
Dependency Hierarchy: - spring-security-web-4.2.12.RELEASE.jar (Root Library) - :x: **spring-security-core-4.2.1.RELEASE.jar** (Vulnerable Library) ### spring-security-web-4.2.12.RELEASE.jar
spring-security-web
Library home page: https://spring.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/security/spring-security-web/4.2.12.RELEASE/spring-security-web-4.2.12.RELEASE.jar
Dependency Hierarchy: - :x: **spring-security-web-4.2.12.RELEASE.jar** (Vulnerable Library)
Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf
Found in base branch: master
### Vulnerability DetailsThe usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in authorization rules not working properly.
Publish Date: 2024-06-20
URL: CVE-2024-38827
### Threat AssessmentExploit Maturity: Not Defined
EPSS:
### CVSS 3 Score Details (4.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://spring.io/security/cve-2024-38827
Release Date: 2024-06-20
Fix Resolution (org.springframework.security:spring-security-core): 5.7.14
Direct dependency fix Resolution (org.springframework.security:spring-security-web): 5.7.14
In order to enable automatic remediation, please create workflow rules
In order to enable automatic remediation for this issue, please create workflow rules