Maven package
org.springframework.security/spring-security-core
pkg:maven/org.springframework.security/spring-security-core
Vulnerabilities (31)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-22746 | Low | 3.7 | >= 5.7.0, <= 5.7.22 | — | Apr 22, 2026 | Vulnerability in Spring Spring Security. If an application is using the UserDetails#isEnabled, #isAccountNonExpired, or #isAccountNonLocked user attributes, to enable, expire, or lock users, then DaoAuthenticationProvider's timing attack defense can be bypassed for users who are | |
| CVE-2026-22751 | Med | 4.8 | >= 6.5.0, < 6.5.10 | 6.5.10 | Apr 21, 2026 | Vulnerability in Spring Spring Security. Applications that explicitly configure One-Time Token login with JdbcOneTimeTokenService are vulnerable to a Time-of-check Time-of-use (TOCTOU) race condition. This issue affects Spring Security: from 6.4.0 through 6.4.15, from 6.5.0 throu | |
| CVE-2025-22234 | Med | 5.3 | >= 6.3.8, < 6.3.9 | 6.3.9 | Jan 22, 2026 | The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider. This can allow attackers to infer valid usernames or other authentication behavior via response-time differences under certain configurations. | |
| CVE-2025-41248 | Hig | 7.5 | >= 6.4.0, < 6.4.10 | 6.4.10 | Sep 16, 2025 | The Spring Security annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue when using @PreAuthorize and other method security annotations, resulting in a | |
| CVE-2025-41232 | Cri | 9.1 | >= 6.4.0, < 6.4.6 | 6.4.6 | May 21, 2025 | Spring Security Aspects may not correctly locate method security annotations on private methods. This can cause an authorization bypass. Your application may be affected by this if the following are true: * You are using @EnableMethodSecurity(mode=ASPECTJ) and spring-securit | |
| CVE-2025-22223 | Med | 5.3 | >= 6.4.0, < 6.4.4 | 6.4.4 | Mar 24, 2025 | Spring Security 6.4.0 - 6.4.3 may not correctly locate method security annotations on parameterized types or methods. This may cause an authorization bypass. You are not affected if you are not using @EnableMethodSecurity, or you do not have method security annotations on param | |
| CVE-2024-38827 | Med | 4.8 | < 5.7.14 | 5.7.14 | Dec 2, 2024 | The usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in authorization rules not working properly. | |
| CVE-2024-38810 | — | >= 6.3.0, < 6.3.2 | 6.3.2 | Aug 20, 2024 | Missing Authorization When Using @AuthorizeReturnObject in Spring Security 6.3.0 and 6.3.1 allows attacker to render security annotations inaffective. | ||
| CVE-2024-22257 | Hig | 8.2 | < 5.7.12 | 5.7.12 | Mar 18, 2024 | In Spring Security, versions 5.7.x prior to 5.7.12, 5.8.x prior to 5.8.11, versions 6.0.x prior to 6.0.9, versions 6.1.x prior to 6.1.8, versions 6.2.x prior to 6.2.3, an application is possible vulnerable to broken access control when it directly uses the AuthenticatedVoter#v | |
| CVE-2024-22234 | — | >= 6.1.0, < 6.1.7 | 6.1.7 | Feb 20, 2024 | In Spring Security, versions 6.1.x prior to 6.1.7 and versions 6.2.x prior to 6.2.2, an application is vulnerable to broken access control when it directly uses the AuthenticationTrustResolver.isFullyAuthenticated(Authentication) method. Specifically, an application is vulnerabl | ||
| CVE-2023-20862 | — | >= 5.7.0, < 5.7.8 | 5.7.8 | Apr 19, 2023 | In Spring Security, versions 5.7.x prior to 5.7.8, versions 5.8.x prior to 5.8.3, and versions 6.0.x prior to 6.0.3, the logout support does not properly clean the security context if using serialized versions. Additionally, it is not possible to explicitly save an empty security | ||
| CVE-2022-31692 | — | >= 5.7.0, < 5.7.5 | 5.7.5 | Oct 31, 2022 | Spring Security, versions 5.7 prior to 5.7.5 and 5.6 prior to 5.6.9 could be susceptible to authorization rules bypass via forward or include dispatcher types. Specifically, an application is vulnerable when all of the following are true: The application expects that Spring Secur | ||
| CVE-2022-22976 | — | >= 5.2.0.RELEASE, < 5.5.7 | 5.5.7 | May 19, 2022 | Spring Security versions 5.5.x prior to 5.5.7, 5.6.x prior to 5.6.4, and earlier unsupported versions contain an integer overflow vulnerability. When using the BCrypt class with the maximum work factor (31), the encoder does not perform any salt rounds, due to an integer overflow | ||
| CVE-2022-22978 | — | >= 5.5.0, < 5.5.7 | 5.5.7 | May 19, 2022 | In spring security versions prior to 5.4.11+, 5.5.7+ , 5.6.4+ and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with `.` in the regular expression are possibly vulnerab | ||
| CVE-2021-22119 | — | >= 5.5.0, < 5.5.1 | 5.5.1 | Jun 29, 2021 | Spring Security versions 5.5.x prior to 5.5.1, 5.4.x prior to 5.4.7, 5.3.x prior to 5.3.10 and 5.2.x prior to 5.2.11 are susceptible to a Denial-of-Service (DoS) attack via the initiation of the Authorization Request in an OAuth 2.0 Client Web and WebFlux application. A malicious | ||
| CVE-2020-5408 | — | >= 5.3.0, < 5.3.2 | 5.3.2 | May 14, 2020 | Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to | ||
| CVE-2020-5407 | — | >= 5.2.0, < 5.2.4 | 5.2.4 | May 13, 2020 | Spring Security versions 5.2.x prior to 5.2.4 and 5.3.x prior to 5.3.2 contain a signature wrapping vulnerability during SAML response validation. When using the spring-security-saml2-service-provider component, a malicious user can carefully modify an otherwise valid SAML respon | ||
| CVE-2019-11272 | — | < 4.2.13 | 4.2.13 | Jun 26, 2019 | Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, | ||
| CVE-2019-3795 | — | >= 4.2.0, < 4.2.12 | 4.2.12 | Apr 9, 2019 | Spring Security versions 4.2.x prior to 4.2.12, 5.0.x prior to 5.0.12, and 5.1.x prior to 5.1.5 contain an insecure randomness vulnerability when using SecureRandomFactoryBean#setSeed to configure a SecureRandom instance. In order to be impacted, an honest application must provid | ||
| CVE-2018-15801 | — | >= 5.1.0, < 5.1.2 | 5.1.2 | Dec 19, 2018 | Spring Security versions 5.1.x prior to 5.1.2 contain an authorization bypass vulnerability during JWT issuer validation. In order to be impacted, the same private key for an honest issuer and a malicious user must be used when signing JWTs. In that case, a malicious user could f |
- affected >= 5.7.0, <= 5.7.22
Vulnerability in Spring Spring Security. If an application is using the UserDetails#isEnabled, #isAccountNonExpired, or #isAccountNonLocked user attributes, to enable, expire, or lock users, then DaoAuthenticationProvider's timing attack defense can be bypassed for users who are
- affected >= 6.5.0, < 6.5.10fixed 6.5.10
Vulnerability in Spring Spring Security. Applications that explicitly configure One-Time Token login with JdbcOneTimeTokenService are vulnerable to a Time-of-check Time-of-use (TOCTOU) race condition. This issue affects Spring Security: from 6.4.0 through 6.4.15, from 6.5.0 throu
- affected >= 6.3.8, < 6.3.9fixed 6.3.9
The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider. This can allow attackers to infer valid usernames or other authentication behavior via response-time differences under certain configurations.
- affected >= 6.4.0, < 6.4.10fixed 6.4.10
The Spring Security annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue when using @PreAuthorize and other method security annotations, resulting in a
- affected >= 6.4.0, < 6.4.6fixed 6.4.6
Spring Security Aspects may not correctly locate method security annotations on private methods. This can cause an authorization bypass. Your application may be affected by this if the following are true: * You are using @EnableMethodSecurity(mode=ASPECTJ) and spring-securit
- affected >= 6.4.0, < 6.4.4fixed 6.4.4
Spring Security 6.4.0 - 6.4.3 may not correctly locate method security annotations on parameterized types or methods. This may cause an authorization bypass. You are not affected if you are not using @EnableMethodSecurity, or you do not have method security annotations on param
- affected < 5.7.14fixed 5.7.14
The usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in authorization rules not working properly.
- CVE-2024-38810Aug 20, 2024affected >= 6.3.0, < 6.3.2fixed 6.3.2
Missing Authorization When Using @AuthorizeReturnObject in Spring Security 6.3.0 and 6.3.1 allows attacker to render security annotations inaffective.
- affected < 5.7.12fixed 5.7.12
In Spring Security, versions 5.7.x prior to 5.7.12, 5.8.x prior to 5.8.11, versions 6.0.x prior to 6.0.9, versions 6.1.x prior to 6.1.8, versions 6.2.x prior to 6.2.3, an application is possible vulnerable to broken access control when it directly uses the AuthenticatedVoter#v
- CVE-2024-22234Feb 20, 2024affected >= 6.1.0, < 6.1.7fixed 6.1.7
In Spring Security, versions 6.1.x prior to 6.1.7 and versions 6.2.x prior to 6.2.2, an application is vulnerable to broken access control when it directly uses the AuthenticationTrustResolver.isFullyAuthenticated(Authentication) method. Specifically, an application is vulnerabl
- CVE-2023-20862Apr 19, 2023affected >= 5.7.0, < 5.7.8fixed 5.7.8
In Spring Security, versions 5.7.x prior to 5.7.8, versions 5.8.x prior to 5.8.3, and versions 6.0.x prior to 6.0.3, the logout support does not properly clean the security context if using serialized versions. Additionally, it is not possible to explicitly save an empty security
- CVE-2022-31692Oct 31, 2022affected >= 5.7.0, < 5.7.5fixed 5.7.5
Spring Security, versions 5.7 prior to 5.7.5 and 5.6 prior to 5.6.9 could be susceptible to authorization rules bypass via forward or include dispatcher types. Specifically, an application is vulnerable when all of the following are true: The application expects that Spring Secur
- CVE-2022-22976May 19, 2022affected >= 5.2.0.RELEASE, < 5.5.7fixed 5.5.7
Spring Security versions 5.5.x prior to 5.5.7, 5.6.x prior to 5.6.4, and earlier unsupported versions contain an integer overflow vulnerability. When using the BCrypt class with the maximum work factor (31), the encoder does not perform any salt rounds, due to an integer overflow
- CVE-2022-22978May 19, 2022affected >= 5.5.0, < 5.5.7fixed 5.5.7
In spring security versions prior to 5.4.11+, 5.5.7+ , 5.6.4+ and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with `.` in the regular expression are possibly vulnerab
- CVE-2021-22119Jun 29, 2021affected >= 5.5.0, < 5.5.1fixed 5.5.1
Spring Security versions 5.5.x prior to 5.5.1, 5.4.x prior to 5.4.7, 5.3.x prior to 5.3.10 and 5.2.x prior to 5.2.11 are susceptible to a Denial-of-Service (DoS) attack via the initiation of the Authorization Request in an OAuth 2.0 Client Web and WebFlux application. A malicious
- CVE-2020-5408May 14, 2020affected >= 5.3.0, < 5.3.2fixed 5.3.2
Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to
- CVE-2020-5407May 13, 2020affected >= 5.2.0, < 5.2.4fixed 5.2.4
Spring Security versions 5.2.x prior to 5.2.4 and 5.3.x prior to 5.3.2 contain a signature wrapping vulnerability during SAML response validation. When using the spring-security-saml2-service-provider component, a malicious user can carefully modify an otherwise valid SAML respon
- CVE-2019-11272Jun 26, 2019affected < 4.2.13fixed 4.2.13
Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password,
- CVE-2019-3795Apr 9, 2019affected >= 4.2.0, < 4.2.12fixed 4.2.12
Spring Security versions 4.2.x prior to 4.2.12, 5.0.x prior to 5.0.12, and 5.1.x prior to 5.1.5 contain an insecure randomness vulnerability when using SecureRandomFactoryBean#setSeed to configure a SecureRandom instance. In order to be impacted, an honest application must provid
- CVE-2018-15801Dec 19, 2018affected >= 5.1.0, < 5.1.2fixed 5.1.2
Spring Security versions 5.1.x prior to 5.1.2 contain an authorization bypass vulnerability during JWT issuer validation. In order to be impacted, the same private key for an honest issuer and a malicious user must be used when signing JWTs. In that case, a malicious user could f
Page 1 of 2