search

github / advisory-database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Creative Commons Attribution 4.0 International
1.67k stars 305 forks source link

[GHSA-f3jh-qvm4-mg39] Erroneous authentication pass in Spring Security #4484

Closed SunBK201 closed 1 month ago

SunBK201 commented 1 month ago

Updates

Comments Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-22257

shelbyc commented 1 month ago

Hi @SunBK201, we can't change the vulnerable version ranges and patched versions because a patched version called 6.0.9 appears to not exist. org.springframework.security:spring-security-core has no version 6.0.9, as seen at https://mvnrepository.com/artifact/org.springframework.security/spring-security-core. Additionally, the 6.0.x branch at https://github.com/spring-projects/spring-security/commits/6.0.x/ does not contain the fix commit that is present in the 5.7.x, 5.8.x, 6.1.x, and 6.2.x branches.