Closed SunBK201 closed 1 month ago
Hi @SunBK201, I looked into the history of the file BCrypt.java
and saw that most of the code changed in fix commit https://github.com/spring-projects/spring-security/commit/a40f73521c0dd88b879ff6165d280e78bdf8154f was added in version 3.1.0.RELEASE
, specifically https://github.com/spring-projects/spring-security/commit/8565116f203b9c6186b044bc655c9d5d5b2e6450. Are there any changes to BCrypt.java
that occurred in 5.2.0.RELEASE
that lead you to believe 5.2.0.RELEASE
is the first vulnerable version?
According to spring-projects/spring-security@a40f73521c0dd88b879ff6165d280e78bdf8154f, vulnerable method crypt_raw
in 5.1.13. Vulnerability statement rounds = 1 << log_rounds;
does not exist in 5.1.13, induceing commit: spring-projects/spring-security@388a7b62b906bd56deadb7ca45248fa1a63bdf12 in 5.2.0
Hi @SunBK201, thank you for showing me the commit that introduced rounds = 1 << log_rounds;
! After comparing https://github.com/spring-projects/spring-security/commit/388a7b62b906bd56deadb7ca45248fa1a63bdf12 and https://github.com/spring-projects/spring-security/commit/a40f73521c0dd88b879ff6165d280e78bdf8154f, I agree that it makes sense to set 5.2.0.RELEASE
as the minimum vulnerable version.
Hi @SunBK201! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!
Updates
Comments According to Patch, this vulnerability was introduced from 5.2.0.RELEASE.