High severity8.8NVD Advisory· Published Feb 23, 2021· Updated Jun 17, 2026
CVE-2021-22112
CVE-2021-22112
Description
Spring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE, and older unsupported versions can fail to save the SecurityContext if it is changed more than once in a single request.A malicious user cannot cause the bug to happen (it must be programmed in). However, if the application's intent is to only allow the user to run with elevated privileges in a small portion of the application, the bug can be leveraged to extend those privileges to the rest of the application.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.springframework.security:spring-security-bomMaven | >= 5.4.0, < 5.4.4 | 5.4.4 |
org.springframework.security:spring-security-bomMaven | >= 5.3.0, < 5.3.8 | 5.3.8 |
org.springframework.security:spring-security-bomMaven | < 5.2.9 | 5.2.9 |
org.springframework.security:spring-security-webMaven | >= 5.4.0, < 5.4.4 | 5.4.4 |
org.springframework.security:spring-security-webMaven | >= 5.3.0, < 5.3.8 | 5.3.8 |
org.springframework.security:spring-security-webMaven | < 5.2.9 | 5.2.9 |
Affected products
3- ghsa-coords2 versionspkg:maven/org.springframework.security/spring-security-bompkg:maven/org.springframework.security/spring-security-web
>= 5.4.0, < 5.4.4+ 1 more
- (no CPE)range: >= 5.4.0, < 5.4.4
- (no CPE)range: >= 5.4.0, < 5.4.4
- Range: 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE
Patches
Vulnerability mechanics
References
29- www.oracle.com/security-alerts/cpuApr2021.htmlnvdPatchThird Party AdvisoryWEB
- www.oracle.com/security-alerts/cpuoct2021.htmlnvdPatchThird Party AdvisoryWEB
- www.openwall.com/lists/oss-security/2021/02/19/7nvdMailing ListThird Party AdvisoryWEB
- github.com/advisories/GHSA-gq28-h5vg-8prxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-22112ghsaADVISORY
- tanzu.vmware.com/security/cve-2021-22112nvdVendor AdvisoryWEB
- www.oracle.com//security-alerts/cpujul2021.htmlnvdThird Party AdvisoryWEB
- github.com/spring-projects/spring-security/releases/tag/5.4.4ghsaWEB
- lists.apache.org/thread.html/r163b3e4e39803882f5be05ee8606b2b9812920e196daa2a82997ce14@%3Cpluto-dev.portals.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r2cb05e499807900ba23e539643eead9c5f0652fd271f223f89da1804@%3Cpluto-scm.portals.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r37423ec7eea340e92a409452c35b649dce02fdc467f0b3f52086c177@%3Cpluto-dev.portals.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r3868207b967f926819fe3aa8d33f1666429be589bb4a62104a49f4e3@%3Cpluto-dev.portals.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r390783b3b1c59b978131ac08390bf77fbb3863270cbde59d5b0f5fde@%3Cpluto-dev.portals.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r413e380088c427f56102968df89ef2f336473e1b56b7d4b3a571a378@%3Cpluto-dev.portals.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r89aa1b48a827f5641310305214547f1d6b2101971a49b624737c497f@%3Cpluto-dev.portals.apache.org%3EghsaWEB
- lists.apache.org/thread.html/ra53677224fe4f04c2599abc88032076faa18dc84b329cdeba85d4cfc@%3Cpluto-scm.portals.apache.org%3EghsaWEB
- lists.apache.org/thread.html/ra6389b1b82108a3b6bbcd22979f7665fd437c2a3408c9509a15a9ca1@%3Cpluto-dev.portals.apache.org%3EghsaWEB
- lists.apache.org/thread.html/redbd004a503b3520ae5746c2ab5e93fd7da807a8c128e60d2002cd9b@%3Cissues.nifi.apache.org%3EghsaWEB
- www.jenkins.io/security/advisory/2021-02-19ghsaWEB
- lists.apache.org/thread.html/r163b3e4e39803882f5be05ee8606b2b9812920e196daa2a82997ce14%40%3Cpluto-dev.portals.apache.org%3Envd
- lists.apache.org/thread.html/r2cb05e499807900ba23e539643eead9c5f0652fd271f223f89da1804%40%3Cpluto-scm.portals.apache.org%3Envd
- lists.apache.org/thread.html/r37423ec7eea340e92a409452c35b649dce02fdc467f0b3f52086c177%40%3Cpluto-dev.portals.apache.org%3Envd
- lists.apache.org/thread.html/r3868207b967f926819fe3aa8d33f1666429be589bb4a62104a49f4e3%40%3Cpluto-dev.portals.apache.org%3Envd
- lists.apache.org/thread.html/r390783b3b1c59b978131ac08390bf77fbb3863270cbde59d5b0f5fde%40%3Cpluto-dev.portals.apache.org%3Envd
- lists.apache.org/thread.html/r413e380088c427f56102968df89ef2f336473e1b56b7d4b3a571a378%40%3Cpluto-dev.portals.apache.org%3Envd
- lists.apache.org/thread.html/r89aa1b48a827f5641310305214547f1d6b2101971a49b624737c497f%40%3Cpluto-dev.portals.apache.org%3Envd
- lists.apache.org/thread.html/ra53677224fe4f04c2599abc88032076faa18dc84b329cdeba85d4cfc%40%3Cpluto-scm.portals.apache.org%3Envd
- lists.apache.org/thread.html/ra6389b1b82108a3b6bbcd22979f7665fd437c2a3408c9509a15a9ca1%40%3Cpluto-dev.portals.apache.org%3Envd
- lists.apache.org/thread.html/redbd004a503b3520ae5746c2ab5e93fd7da807a8c128e60d2002cd9b%40%3Cissues.nifi.apache.org%3Envd
News mentions
1- Jenkins Security Advisory 2021-02-19Jenkins Security Advisories · Feb 19, 2021