Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/security/spring-security-web/5.2.6.RELEASE/spring-security-web-5.2.6.RELEASE.jar
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/security/spring-security-web/5.2.6.RELEASE/spring-security-web-5.2.6.RELEASE.jar
In spring security versions prior to 5.4.11+, 5.5.7+ , 5.6.4+ and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-22112
### Vulnerable Library - spring-security-web-5.2.6.RELEASE.jar
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/security/spring-security-web/5.2.6.RELEASE/spring-security-web-5.2.6.RELEASE.jar
Spring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE, and older unsupported versions can fail to save the SecurityContext if it is changed more than once in a single request.A malicious user cannot cause the bug to happen (it must be programmed in). However, if the application's intent is to only allow the user to run with elevated privileges in a small portion of the application, the bug can be leveraged to extend those privileges to the rest of the application.
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
WS-2016-7107
### Vulnerable Library - spring-security-web-5.2.6.RELEASE.jar
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/security/spring-security-web/5.2.6.RELEASE/spring-security-web-5.2.6.RELEASE.jar
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
WS-2020-0293
### Vulnerable Library - spring-security-web-5.2.6.RELEASE.jar
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/security/spring-security-web/5.2.6.RELEASE/spring-security-web-5.2.6.RELEASE.jar
Spring Security before 5.2.9, 5.3.7, and 5.4.3 vulnerable to side-channel attacks. Vulnerable versions of Spring Security don't use constant time comparisons for CSRF tokens.
Vulnerable Library - spring-security-web-5.2.6.RELEASE.jar
spring-security-web
Library home page: http://spring.io/spring-security
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/security/spring-security-web/5.2.6.RELEASE/spring-security-web-5.2.6.RELEASE.jar
Found in HEAD commit: af0de1ab054f866ea94cd6bd334c26f2afb0ba85
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2022-22978
### Vulnerable Library - spring-security-web-5.2.6.RELEASE.jarspring-security-web
Library home page: http://spring.io/spring-security
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/security/spring-security-web/5.2.6.RELEASE/spring-security-web-5.2.6.RELEASE.jar
Dependency Hierarchy: - :x: **spring-security-web-5.2.6.RELEASE.jar** (Vulnerable Library)
Found in HEAD commit: af0de1ab054f866ea94cd6bd334c26f2afb0ba85
Found in base branch: master
### Vulnerability DetailsIn spring security versions prior to 5.4.11+, 5.5.7+ , 5.6.4+ and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.
Publish Date: 2022-05-19
URL: CVE-2022-22978
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://spring.io/security/cve-2022-22978/
Release Date: 2022-05-19
Fix Resolution: 5.4.11
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)CVE-2021-22112
### Vulnerable Library - spring-security-web-5.2.6.RELEASE.jarspring-security-web
Library home page: http://spring.io/spring-security
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/security/spring-security-web/5.2.6.RELEASE/spring-security-web-5.2.6.RELEASE.jar
Dependency Hierarchy: - :x: **spring-security-web-5.2.6.RELEASE.jar** (Vulnerable Library)
Found in HEAD commit: af0de1ab054f866ea94cd6bd334c26f2afb0ba85
Found in base branch: master
### Vulnerability DetailsSpring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE, and older unsupported versions can fail to save the SecurityContext if it is changed more than once in a single request.A malicious user cannot cause the bug to happen (it must be programmed in). However, if the application's intent is to only allow the user to run with elevated privileges in a small portion of the application, the bug can be leveraged to extend those privileges to the rest of the application.
Publish Date: 2021-02-23
URL: CVE-2021-22112
### CVSS 3 Score Details (8.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://tanzu.vmware.com/security/cve-2021-22112
Release Date: 2021-02-23
Fix Resolution: 5.2.9.RELEASE
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)WS-2016-7107
### Vulnerable Library - spring-security-web-5.2.6.RELEASE.jarspring-security-web
Library home page: http://spring.io/spring-security
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/security/spring-security-web/5.2.6.RELEASE/spring-security-web-5.2.6.RELEASE.jar
Dependency Hierarchy: - :x: **spring-security-web-5.2.6.RELEASE.jar** (Vulnerable Library)
Found in HEAD commit: af0de1ab054f866ea94cd6bd334c26f2afb0ba85
Found in base branch: master
### Vulnerability DetailsCSRF tokens in Spring Security are vulnerable to a breach attack. Spring Security always returns the same CSRF token to the browser.
Publish Date: 2016-08-02
URL: WS-2016-7107
### CVSS 3 Score Details (5.9)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/WS-2016-7107
Release Date: 2016-08-02
Fix Resolution: 5.2.14.RELEASE
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)WS-2020-0293
### Vulnerable Library - spring-security-web-5.2.6.RELEASE.jarspring-security-web
Library home page: http://spring.io/spring-security
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/security/spring-security-web/5.2.6.RELEASE/spring-security-web-5.2.6.RELEASE.jar
Dependency Hierarchy: - :x: **spring-security-web-5.2.6.RELEASE.jar** (Vulnerable Library)
Found in HEAD commit: af0de1ab054f866ea94cd6bd334c26f2afb0ba85
Found in base branch: master
### Vulnerability DetailsSpring Security before 5.2.9, 5.3.7, and 5.4.3 vulnerable to side-channel attacks. Vulnerable versions of Spring Security don't use constant time comparisons for CSRF tokens.
Publish Date: 2020-12-17
URL: WS-2020-0293
### CVSS 3 Score Details (5.9)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2020-12-17
Fix Resolution: 5.2.9.RELEASE
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)