Spring Security versions 5.5.x prior to 5.5.7, 5.6.x prior to 5.6.4, and earlier unsupported versions contain an integer overflow vulnerability. When using the BCrypt class with the maximum work factor (31), the encoder does not perform any salt rounds, due to an integer overflow error. The default settings are not affected by this CVE. The only in circumstances where the BCryptPasswordEncoder has been configured with the maximum work factor are affected. Due to current limitations in computer hardware, the use of such a high work factor is computationally impractical. You need to be using BCrypt with a work factor of 31 to be impacted.

References

• https://nvd.nist.gov/vuln/detail/CVE-2022-22976
• https://tanzu.vmware.com/security/cve-2022-22976
• https://security.netapp.com/advisory/ntap-20220707-0003/
• https://www.oracle.com/security-alerts/cpujul2022.html