MEDIUM | APRIL 22, 2025 | CVE-2025-22234
Description The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider. Affected Spring Products and Versions Spring Security: 5.7.16 only 5.8.18 only 6.0.16 only 6.1.14 only 6.2.10 only 6.3.…
MEDIUM | APRIL 07, 2025 | CVE-2025-22232
Description Spring Cloud Config Server may not use Vault token sent by clients using a X-CONFIG-TOKEN header when making requests to Vault. Your application may be affected by this if the following are true: You have Spring Vault on the classpath of your…
HIGH | MARCH 19, 2025 | CVE-2025-22228
Description BCryptPasswordEncoder.matches(CharSequence,String) will incorrectly return true for passwords larger than 72 characters as long as the first 72 characters are the same. Affected Spring Products and Versions Spring Security: 5.7.0 - 5.7.15 5.8.0 -…
MEDIUM | MARCH 19, 2025 | CVE-2025-22223
Description Spring Security may not correctly locate method security annotations on parameterized types or methods.
This may cause an authorization bypass. Your application may be affected by this if the following are true: You are using @EnableMethodSecurity…
MEDIUM | NOVEMBER 19, 2024 | CVE-2024-38827
Description The usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in authorization rules not working properly. Related to CVE-2024-38820 Affected Spring Products and Versions Spring…
LOW | NOVEMBER 19, 2024 | CVE-2024-38829
Description The usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in unintended columns from being queried Related to CVE-2024-38820 Affected Spring Products and Versions Spring LDAP: 2.…
MEDIUM | NOVEMBER 15, 2024 | CVE-2024-38828
Description Spring MVC controller methods with an @RequestBody byte[] method parameter are vulnerable to a DoS attack. Affected Spring Products and Versions Spring Framework: 5.3.0 - 5.3.41 Older, unsupported versions are also affected Mitigation Users of…
CRITICAL | OCTOBER 22, 2024 | CVE-2024-38821
Description Spring WebFlux applications that have Spring Security authorization rules on static resources can be bypassed under certain circumstances. For this to impact an application, all of the following must be true: It must be a WebFlux application It…
HIGH | OCTOBER 17, 2024 | CVE-2024-38819
Description Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also…
LOW | OCTOBER 17, 2024 | CVE-2024-38820
Description The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase() has some Locale dependent exceptions that could potentially result in fields not protected as expected. Affected Spring Products…
