Maven package
org.springframework.security/spring-security-core
pkg:maven/org.springframework.security/spring-security-core
Vulnerabilities (31)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2018-1199 | — | >= 4.2.0, < 4.2.4 | 4.2.4 | Mar 16, 2018 | Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3) does not consider URL path parameters when processing security constraints. By adding a URL path parameter with specia | ||
| CVE-2017-4995 | Hig | 8.1 | >= 4.2.0.RELEASE, < 4.2.3.RELEASE | 4.2.3.RELEASE | Nov 27, 2017 | An issue was discovered in Pivotal Spring Security 4.2.0.RELEASE through 4.2.2.RELEASE, and Spring Security 5.0.0.M1. When configured to enable default typing, Jackson contained a deserialization vulnerability that could lead to arbitrary code execution. Jackson fixed this vulner | |
| CVE-2016-5007 | Hig | 7.5 | < 4.1.1 | 4.1.1 | May 25, 2017 | Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with reg | |
| CVE-2014-3527 | Cri | 9.8 | < 3.1.7 | 3.1.7 | May 25, 2017 | When using the CAS Proxy ticket authentication from Spring Security 3.1 to 3.2.4 a malicious CAS Service could trick another CAS Service into authenticating a proxy ticket that was not associated. This is due to the fact that the proxy ticket authentication uses the information f | |
| CVE-2014-0097 | Hig | 7.3 | >= 3.2.0, < 3.2.2.RELEASE | 3.2.2.RELEASE | May 25, 2017 | The ActiveDirectoryLdapAuthenticator in Spring Security 3.2.0 to 3.2.1 and 3.1.0 to 3.1.5 does not check the password length. If the directory allows anonymous binds then it may incorrectly authenticate a user who supplies an empty password. | |
| CVE-2016-9879 | Hig | 7.5 | < 3.2.10.RELEASE | 3.2.10.RELEASE | Jan 6, 2017 | An issue was discovered in Pivotal Spring Security before 3.2.10, 4.1.x before 4.1.4, and 4.2.x before 4.2.1. Spring Security does not consider URL path parameters when processing security constraints. By adding a URL path parameter with an encoded "/" to a request, an attacker m | |
| CVE-2012-5055 | — | < 2.0.8 | 2.0.8 | Dec 5, 2012 | DaoAuthenticationProvider in VMware SpringSource Spring Security before 2.0.8, 3.0.x before 3.0.8, and 3.1.x before 3.1.3 does not check the password if the user is not found, which makes the response delay shorter and might allow remote attackers to enumerate valid usernames via | ||
| CVE-2011-2732 | — | < 2.0.7 | 2.0.7 | Dec 5, 2012 | CRLF injection vulnerability in the logout functionality in VMware SpringSource Spring Security before 2.0.7 and 3.0.x before 3.0.6 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the spring-security-redirect parameter. | ||
| CVE-2011-2731 | — | < 2.0.7 | 2.0.7 | Dec 5, 2012 | Race condition in the RunAsManager mechanism in VMware SpringSource Spring Security before 2.0.7 and 3.0.x before 3.0.6 stores the Authentication object in the shared security context, which allows attackers to gain privileges via a crafted thread. | ||
| CVE-2011-2894 | — | >= 3.0.0, < 3.0.6 | 3.0.6 | Oct 4, 2011 | Spring Framework 3.0.0 through 3.0.5, Spring Security 3.0.0 through 3.0.5 and 2.0.0 through 2.0.6, and possibly other versions deserialize objects from untrusted sources, which allows remote attackers to bypass intended security restrictions and execute untrusted code by (1) seri | ||
| CVE-2010-3700 | — | >= 2.0.0, < 2.0.6 | 2.0.6 | Oct 29, 2010 | VMware SpringSource Spring Security 2.x before 2.0.6 and 3.x before 3.0.4, and Acegi Security 1.0.0 through 1.0.7, as used in IBM WebSphere Application Server (WAS) 6.1 and 7.0, allows remote attackers to bypass security constraints via a path parameter. |
- CVE-2018-1199Mar 16, 2018affected >= 4.2.0, < 4.2.4fixed 4.2.4
Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3) does not consider URL path parameters when processing security constraints. By adding a URL path parameter with specia
- affected >= 4.2.0.RELEASE, < 4.2.3.RELEASEfixed 4.2.3.RELEASE
An issue was discovered in Pivotal Spring Security 4.2.0.RELEASE through 4.2.2.RELEASE, and Spring Security 5.0.0.M1. When configured to enable default typing, Jackson contained a deserialization vulnerability that could lead to arbitrary code execution. Jackson fixed this vulner
- affected < 4.1.1fixed 4.1.1
Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with reg
- affected < 3.1.7fixed 3.1.7
When using the CAS Proxy ticket authentication from Spring Security 3.1 to 3.2.4 a malicious CAS Service could trick another CAS Service into authenticating a proxy ticket that was not associated. This is due to the fact that the proxy ticket authentication uses the information f
- affected >= 3.2.0, < 3.2.2.RELEASEfixed 3.2.2.RELEASE
The ActiveDirectoryLdapAuthenticator in Spring Security 3.2.0 to 3.2.1 and 3.1.0 to 3.1.5 does not check the password length. If the directory allows anonymous binds then it may incorrectly authenticate a user who supplies an empty password.
- affected < 3.2.10.RELEASEfixed 3.2.10.RELEASE
An issue was discovered in Pivotal Spring Security before 3.2.10, 4.1.x before 4.1.4, and 4.2.x before 4.2.1. Spring Security does not consider URL path parameters when processing security constraints. By adding a URL path parameter with an encoded "/" to a request, an attacker m
- CVE-2012-5055Dec 5, 2012affected < 2.0.8fixed 2.0.8
DaoAuthenticationProvider in VMware SpringSource Spring Security before 2.0.8, 3.0.x before 3.0.8, and 3.1.x before 3.1.3 does not check the password if the user is not found, which makes the response delay shorter and might allow remote attackers to enumerate valid usernames via
- CVE-2011-2732Dec 5, 2012affected < 2.0.7fixed 2.0.7
CRLF injection vulnerability in the logout functionality in VMware SpringSource Spring Security before 2.0.7 and 3.0.x before 3.0.6 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the spring-security-redirect parameter.
- CVE-2011-2731Dec 5, 2012affected < 2.0.7fixed 2.0.7
Race condition in the RunAsManager mechanism in VMware SpringSource Spring Security before 2.0.7 and 3.0.x before 3.0.6 stores the Authentication object in the shared security context, which allows attackers to gain privileges via a crafted thread.
- CVE-2011-2894Oct 4, 2011affected >= 3.0.0, < 3.0.6fixed 3.0.6
Spring Framework 3.0.0 through 3.0.5, Spring Security 3.0.0 through 3.0.5 and 2.0.0 through 2.0.6, and possibly other versions deserialize objects from untrusted sources, which allows remote attackers to bypass intended security restrictions and execute untrusted code by (1) seri
- CVE-2010-3700Oct 29, 2010affected >= 2.0.0, < 2.0.6fixed 2.0.6
VMware SpringSource Spring Security 2.x before 2.0.6 and 3.x before 3.0.4, and Acegi Security 1.0.0 through 1.0.7, as used in IBM WebSphere Application Server (WAS) 6.1 and 7.0, allows remote attackers to bypass security constraints via a path parameter.
Page 2 of 2