Integer overflow in BCrypt class in Spring Security
Moderate severity
GitHub Reviewed
Published
May 20, 2022
to the GitHub Advisory Database
•
Updated Jan 27, 2023
Package
Affected versions
< 5.5.7
>= 5.6.0, < 5.6.4
Patched versions
5.5.7
5.6.4
Description
Published by the National Vulnerability Database
May 19, 2022
Published to the GitHub Advisory Database
May 20, 2022
Reviewed
May 25, 2022
Last updated
Jan 27, 2023
Spring Security versions 5.5.x prior to 5.5.7, 5.6.x prior to 5.6.4, and earlier unsupported versions contain an integer overflow vulnerability. When using the BCrypt class with the maximum work factor (31), the encoder does not perform any salt rounds, due to an integer overflow error. The default settings are not affected by this CVE. The only in circumstances where the BCryptPasswordEncoder has been configured with the maximum work factor are affected. Due to current limitations in computer hardware, the use of such a high work factor is computationally impractical. You need to be using BCrypt with a work factor of 31 to be impacted.
References