VYPR

Maven package

org.springframework.security/spring-security-web

pkg:maven/org.springframework.security/spring-security-web

Vulnerabilities (5)

  • CVE-2026-22747MedApr 22, 2026
    affected >= 7.0.0, < 7.0.5fixed 7.0.5

    Vulnerability in Spring Spring Security. SubjectX500PrincipalExtractor does not correctly handle certain malformed X.509 certificate CN values, which can lead to reading the wrong value for the username. In a carefully crafted certificate, this can lead to an attacker impersonati

  • CVE-2026-22732CriMar 19, 2026
    affected <= 5.7.14

    When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written.  This issue affects Spring Security Servlet applications using lazy (default) writing of HTTP Headers: : from 5.7.0

  • CVE-2024-38821CriOct 28, 2024
    affected < 5.7.13fixed 5.7.13

    Spring WebFlux applications that have Spring Security authorization rules on static resources can be bypassed under certain circumstances. For this to impact an application, all of the following must be true: * It must be a WebFlux application * It must be using Spring's

  • CVE-2022-22978May 19, 2022
    affected >= 5.5.0, < 5.5.7fixed 5.5.7

    In spring security versions prior to 5.4.11+, 5.5.7+ , 5.6.4+ and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with `.` in the regular expression are possibly vulnerab

  • CVE-2021-22112Feb 23, 2021
    affected >= 5.4.0, < 5.4.4fixed 5.4.4

    Spring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE, and older unsupported versions can fail to save the SecurityContext if it is changed more than once in a single request.A malicious user cannot cause the bug to happen (it must be pr