org.springframework.security:spring-security-core
Maven31 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting org.springframework.security:spring-security-corepage 1 of 1
- CVE-2010-3700NONECVSS 0.0EG 0.0✓ Fixed in 3.0.42010-10-29
vulnerable: 3.0.0.RELEASE, 3.0.1.RELEASE, 3.0.2.RELEASE, 3.0.3.RELEASE
VMware SpringSource Spring Security 2.x before 2.0.6 and 3.x before 3.0.4, and Acegi Security 1.0.0 through 1.0.7, as used in IBM WebSphere Application Server (WAS) 6.1 and 7.0, allows remote attackers to bypass security constraints via a …
- CVE-2011-2731NONECVSS 0.0EG 0.0✓ Fixed in 3.0.62012-12-05
vulnerable: 3.0.0.RELEASE ... 3.0.5.RELEASE (6 versions)
Race condition in the RunAsManager mechanism in VMware SpringSource Spring Security before 2.0.7 and 3.0.x before 3.0.6 stores the Authentication object in the shared security context, which allows attackers to gain privileges via a crafte…
- CVE-2011-2732NONECVSS 0.0EG 0.0✓ Fixed in 3.0.62012-12-05
vulnerable: 3.0.0.RELEASE ... 3.0.5.RELEASE (6 versions)
CRLF injection vulnerability in the logout functionality in VMware SpringSource Spring Security before 2.0.7 and 3.0.x before 3.0.6 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via th…
- CVE-2011-2894NONECVSS 0.0EG 0.0✓ Fixed in 2.0.72011-10-04
vulnerable: 2.0.0 ... 2.0.6.RELEASE (7 versions)
Spring Framework 3.0.0 through 3.0.5, Spring Security 3.0.0 through 3.0.5 and 2.0.0 through 2.0.6, and possibly other versions deserialize objects from untrusted sources, which allows remote attackers to bypass intended security restrictio…
- CVE-2012-5055NONECVSS 0.0EG 0.0✓ Fixed in 3.1.32012-12-05
vulnerable: 3.1.0.RELEASE, 3.1.1.RELEASE, 3.1.2.RELEASE
DaoAuthenticationProvider in VMware SpringSource Spring Security before 2.0.8, 3.0.x before 3.0.8, and 3.1.x before 3.1.3 does not check the password if the user is not found, which makes the response delay shorter and might allow remote a…
- CVE-2014-0097HIGHCVSS 7.3EG 7.3✓ Fixed in 3.1.5.RELEASE2017-05-25
vulnerable: 3.1.0.RELEASE, 3.1.1.RELEASE, 3.1.2.RELEASE, 3.1.3.RELEASE, 3.1.4.RELEASE
The ActiveDirectoryLdapAuthenticator in Spring Security 3.2.0 to 3.2.1 and 3.1.0 to 3.1.5 does not check the password length. If the directory allows anonymous binds then it may incorrectly authenticate a user who supplies an empty passwor…
- CVE-2014-3527CRITICALCVSS 9.8EG 9.8✓ Fixed in 3.2.52017-05-25
vulnerable: 3.2.0.RELEASE, 3.2.1.RELEASE, 3.2.2.RELEASE, 3.2.3.RELEASE, 3.2.4.RELEASE
When using the CAS Proxy ticket authentication from Spring Security 3.1 to 3.2.4 a malicious CAS Service could trick another CAS Service into authenticating a proxy ticket that was not associated. This is due to the fact that the proxy tic…
- CVE-2016-5007HIGHCVSS 7.5EG 7.5✓ Fixed in 4.1.12017-05-25
vulnerable: 2.0.0 ... 4.1.0.RELEASE (43 versions)
Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern …
- CVE-2016-9879HIGHCVSS 7.5EG 7.5✓ Fixed in 4.2.1.RELEASE2017-01-06
vulnerable: 4.2.0.RELEASE
An issue was discovered in Pivotal Spring Security before 3.2.10, 4.1.x before 4.1.4, and 4.2.x before 4.2.1. Spring Security does not consider URL path parameters when processing security constraints. By adding a URL path parameter with a…
- CVE-2017-4995HIGHCVSS 8.1EG 8.1✓ Fixed in 5.0.0.M22017-11-27
vulnerable: 5.0.0.M1
An issue was discovered in Pivotal Spring Security 4.2.0.RELEASE through 4.2.2.RELEASE, and Spring Security 5.0.0.M1. When configured to enable default typing, Jackson contained a deserialization vulnerability that could lead to arbitrary …
- CVE-2018-1199MEDIUMCVSS 5.3EG 5.3✓ Fixed in 4.1.52018-03-16
vulnerable: 4.1.0.RELEASE, 4.1.1.RELEASE, 4.1.2.RELEASE, 4.1.3.RELEASE, 4.1.4.RELEASE
Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3) does not consider URL path parameters when processing security constraints. B…
- CVE-2018-15801HIGHCVSS 7.4EG 7.4✓ Fixed in 5.1.22018-12-19
vulnerable: 5.1.0.RELEASE, 5.1.1.RELEASE
Spring Security versions 5.1.x prior to 5.1.2 contain an authorization bypass vulnerability during JWT issuer validation. In order to be impacted, the same private key for an honest issuer and a malicious user must be used when signing JWT…
- CVE-2019-11272HIGHCVSS 7.3EG 7.3✓ Fixed in 4.2.132019-06-26
vulnerable: 2.0.0 ... 4.2.9.RELEASE (61 versions)
Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder…
- CVE-2019-3795MEDIUMCVSS 5.3EG 5.3✓ Fixed in 5.1.52019-04-09
vulnerable: 5.1.0.RELEASE, 5.1.1.RELEASE, 5.1.2.RELEASE, 5.1.3.RELEASE, 5.1.4.RELEASE
Spring Security versions 4.2.x prior to 4.2.12, 5.0.x prior to 5.0.12, and 5.1.x prior to 5.1.5 contain an insecure randomness vulnerability when using SecureRandomFactoryBean#setSeed to configure a SecureRandom instance. In order to be im…
- CVE-2020-5407HIGHCVSS 8.8EG 8.8✓ Fixed in 5.3.22020-05-13
vulnerable: 5.3.0.RELEASE, 5.3.1.RELEASE
Spring Security versions 5.2.x prior to 5.2.4 and 5.3.x prior to 5.3.2 contain a signature wrapping vulnerability during SAML response validation. When using the spring-security-saml2-service-provider component, a malicious user can carefu…
- CVE-2020-5408MEDIUMCVSS 6.5EG 6.5✓ Fixed in 4.2.162020-05-14
vulnerable: 2.0.0 ... 4.2.9.RELEASE (64 versions)
Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text en…
- CVE-2021-22119HIGHCVSS 7.5EG 7.5✓ Fixed in 5.2.112021-06-29
vulnerable: 5.2.0.RELEASE ... 5.2.9.RELEASE (11 versions)
Spring Security versions 5.5.x prior to 5.5.1, 5.4.x prior to 5.4.7, 5.3.x prior to 5.3.10 and 5.2.x prior to 5.2.11 are susceptible to a Denial-of-Service (DoS) attack via the initiation of the Authorization Request in an OAuth 2.0 Client…
- CVE-2022-22976MEDIUMCVSS 5.3EG 5.3✓ Fixed in 5.6.42022-05-19
vulnerable: 5.6.0, 5.6.1, 5.6.2, 5.6.3
Spring Security versions 5.5.x prior to 5.5.7, 5.6.x prior to 5.6.4, and earlier unsupported versions contain an integer overflow vulnerability. When using the BCrypt class with the maximum work factor (31), the encoder does not perform an…
- CVE-2022-22978CRITICALCVSS 9.8EG 9.8✓ Fixed in 5.4.112022-05-19
vulnerable: 2.0.0 ... 5.4.9 (144 versions)
In spring security versions prior to 5.4.11+, 5.5.7+ , 5.6.4+ and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with `.` in the…
- CVE-2022-31692CRITICALCVSS 9.8EG 9.8✓ Fixed in 5.6.92022-10-31
vulnerable: 5.6.0 ... 5.6.8 (9 versions)
Spring Security, versions 5.7 prior to 5.7.5 and 5.6 prior to 5.6.9 could be susceptible to authorization rules bypass via forward or include dispatcher types. Specifically, an application is vulnerable when all of the following are true: …
- CVE-2023-20862MEDIUMCVSS 6.3EG 6.3✓ Fixed in 6.0.32023-04-19
vulnerable: 6.0.0, 6.0.1, 6.0.2
In Spring Security, versions 5.7.x prior to 5.7.8, versions 5.8.x prior to 5.8.3, and versions 6.0.x prior to 6.0.3, the logout support does not properly clean the security context if using serialized versions. Additionally, it is not poss…
- CVE-2024-22234HIGHCVSS 7.4EG 7.4✓ Fixed in 6.2.22024-02-20
vulnerable: 6.2.0, 6.2.1
In Spring Security, versions 6.1.x prior to 6.1.7 and versions 6.2.x prior to 6.2.2, an application is vulnerable to broken access control when it directly uses the AuthenticationTrustResolver.isFullyAuthenticated(Authentication) method. …
- CVE-2024-22257HIGHCVSS 8.2EG 8.2✓ Fixed in 6.2.32024-03-18
vulnerable: 6.2.0, 6.2.1, 6.2.2
In Spring Security, versions 5.7.x prior to 5.7.12, 5.8.x prior to 5.8.11, versions 6.0.x prior to 6.0.9, versions 6.1.x prior to 6.1.8, versions 6.2.x prior to 6.2.3, an application is possible vulnerable to broken access control when …
- CVE-2024-38810MEDIUMCVSS 6.5EG 6.5✓ Fixed in 6.3.22024-08-20
vulnerable: 6.3.0, 6.3.1
Missing Authorization When Using @AuthorizeReturnObject in Spring Security 6.3.0 and 6.3.1 allows attacker to render security annotations inaffective.
- CVE-2024-38827MEDIUMCVSS 4.8EG 4.8✓ Fixed in 6.3.52024-12-02
vulnerable: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4
The usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in authorization rules not working properly.
- CVE-2025-22223MEDIUMCVSS 5.3EG 5.3✓ Fixed in 6.4.42025-03-24
vulnerable: 6.4.0, 6.4.1, 6.4.2, 6.4.3
Spring Security 6.4.0 - 6.4.3 may not correctly locate method security annotations on parameterized types or methods. This may cause an authorization bypass. You are not affected if you are not using @EnableMethodSecurity, or you do not…
- CVE-2025-22234MEDIUMCVSS 5.3EG 5.3✓ Fixed in 6.4.52026-01-22
vulnerable: 6.4.4
The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider. This can allow attackers to infer valid usernames or other authentication behavior via response-time differences u…
- CVE-2025-41232CRITICALCVSS 9.1EG 9.1✓ Fixed in 6.4.62025-05-21
vulnerable: 6.4.0 ... 6.4.5 (6 versions)
Spring Security Aspects may not correctly locate method security annotations on private methods. This can cause an authorization bypass. Your application may be affected by this if the following are true: * You are using @EnableMethod…
- CVE-2025-41248HIGHCVSS 7.5EG 7.5✓ Fixed in 6.5.42025-09-16
vulnerable: 6.5.0, 6.5.1, 6.5.2, 6.5.3
The Spring Security annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue when using @PreAuthorize and other m…
- CVE-2026-22746LOWCVSS 3.7EG 3.7✓ Fixed in 7.0.52026-04-22
vulnerable: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4
Vulnerability in Spring Spring Security. If an application is using the UserDetails#isEnabled, #isAccountNonExpired, or #isAccountNonLocked user attributes, to enable, expire, or lock users, then DaoAuthenticationProvider's timing att…
- CVE-2026-22751MEDIUMCVSS 4.8EG 4.82026-04-21
vulnerable: 6.4.0 ... 6.4.9 (14 versions)
Vulnerability in Spring Spring Security. Applications that explicitly configure One-Time Token login with JdbcOneTimeTokenService are vulnerable to a Time-of-check Time-of-use (TOCTOU) race condition. This issue affects Spring Security:…
Check whether org.springframework.security:spring-security-core is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for org.springframework.security:spring-security-core CVEs against the assets you own.
Start Free Scan →