org.springframework.security:spring-security-web

vulnerable: 3.0.0.RELEASE ... 5.2.8.RELEASE (103 versions)

Spring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE, and older unsupported versions can fail to save the SecurityContext if it is changed more than once in a single request.A malicious user cann…

vulnerable: 3.0.0.RELEASE ... 5.4.9 (135 versions)

In spring security versions prior to 5.4.11+, 5.5.7+ , 5.6.4+ and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with `.` in the…

vulnerable: 6.3.0, 6.3.1, 6.3.2, 6.3.3

Spring WebFlux applications that have Spring Security authorization rules on static resources can be bypassed under certain circumstances. For this to impact an application, all of the following must be true: * It must be a WebFlux ap…

vulnerable: 7.0.0, 7.0.1, 7.0.2, 7.0.3

When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written.  This issue affects Spring Security Servlet applications using lazy (defa…

vulnerable: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4

Vulnerability in Spring Spring Security. SubjectX500PrincipalExtractor does not correctly handle certain malformed X.509 certificate CN values, which can lead to reading the wrong value for the username. In a carefully crafted certific…