[GHSA-wx54-3278-m5g4] Integer overflow in BCrypt class in Spring Security

[SunBK201]

Updates

• Affected products

Comments According to Patch, this vulnerability was introduced from 5.2.0.RELEASE.

[shelbyc]

Hi @SunBK201, I looked into the history of the file BCrypt.java and saw that most of the code changed in fix commit https://github.com/spring-projects/spring-security/commit/a40f73521c0dd88b879ff6165d280e78bdf8154f was added in version 3.1.0.RELEASE, specifically https://github.com/spring-projects/spring-security/commit/8565116f203b9c6186b044bc655c9d5d5b2e6450. Are there any changes to BCrypt.java that occurred in 5.2.0.RELEASE that lead you to believe 5.2.0.RELEASE is the first vulnerable version?

[SunBK201]

According to spring-projects/spring-security@a40f73521c0dd88b879ff6165d280e78bdf8154f, vulnerable method crypt_raw in 5.1.13. Vulnerability statement rounds = 1 << log_rounds; does not exist in 5.1.13, induceing commit: spring-projects/spring-security@388a7b62b906bd56deadb7ca45248fa1a63bdf12 in 5.2.0

[shelbyc]

Hi @SunBK201, thank you for showing me the commit that introduced rounds = 1 << log_rounds;! After comparing https://github.com/spring-projects/spring-security/commit/388a7b62b906bd56deadb7ca45248fa1a63bdf12 and https://github.com/spring-projects/spring-security/commit/a40f73521c0dd88b879ff6165d280e78bdf8154f, I agree that it makes sense to set 5.2.0.RELEASE as the minimum vulnerable version.

[advisory-database[bot]]

Hi @SunBK201! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!