You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Using "**" as a pattern in Spring Security configuration
for WebFlux creates a mismatch in pattern matching between Spring
Security and Spring WebFlux, and the potential for a security bypass.
In Spring Security, versions 5.7.x prior to 5.7.12, 5.8.x prior to
5.8.11, versions 6.0.x prior to 6.0.9, versions 6.1.x prior to 6.1.8,
versions 6.2.x prior to 6.2.3, an application is possible vulnerable to
broken access control when it directly uses the AuthenticatedVoter#vote passing a null Authentication parameter.
In Spring Security, versions 5.7.x prior to 5.7.8, versions 5.8.x prior to 5.8.3, and versions 6.0.x prior to 6.0.3, the logout support does not properly clean the security context if using serialized versions. Additionally, it is not possible to explicitly save an empty security context to the HttpSessionSecurityContextRepository. This vulnerability can keep users authenticated even after they performed logout. Users of affected versions should apply the following mitigation. 5.7.x users should upgrade to 5.7.8. 5.8.x users should upgrade to 5.8.3. 6.0.x users should upgrade to 6.0.3.
mend-bolt-for-githubbot
changed the title
spring-boot-starter-security-2.7.8.jar: 1 vulnerabilities (highest severity is: 5.5)
spring-boot-starter-security-2.7.8.jar: 1 vulnerabilities (highest severity is: 7.5)
Apr 20, 2023
mend-bolt-for-githubbot
changed the title
spring-boot-starter-security-2.7.8.jar: 1 vulnerabilities (highest severity is: 7.5)
spring-boot-starter-security-2.7.8.jar: 2 vulnerabilities (highest severity is: 7.5)
Apr 21, 2023
mend-bolt-for-githubbot
changed the title
spring-boot-starter-security-2.7.8.jar: 2 vulnerabilities (highest severity is: 7.5)
spring-boot-starter-security-2.7.8.jar: 2 vulnerabilities (highest severity is: 9.8)
May 2, 2023
mend-bolt-for-githubbot
changed the title
spring-boot-starter-security-2.7.8.jar: 2 vulnerabilities (highest severity is: 9.8)
spring-boot-starter-security-2.7.8.jar: 3 vulnerabilities (highest severity is: 9.8)
Jun 19, 2023
mend-bolt-for-githubbot
changed the title
spring-boot-starter-security-2.7.8.jar: 3 vulnerabilities (highest severity is: 9.8)
spring-boot-starter-security-2.7.8.jar: 2 vulnerabilities (highest severity is: 9.8)
Aug 24, 2023
mend-bolt-for-githubbot
changed the title
spring-boot-starter-security-2.7.8.jar: 2 vulnerabilities (highest severity is: 9.8)
spring-boot-starter-security-2.7.8.jar: 3 vulnerabilities (highest severity is: 9.8)
Mar 30, 2024
Vulnerable Library - spring-boot-starter-security-2.7.8.jar
Path to dependency file: /backend/pom.xml
Path to vulnerable library: /backend/pom.xml
Found in HEAD commit: bce59864d461e9f2ff3bacfad1294f7c5fb707e3
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2023-34034
Vulnerable Library - spring-security-config-5.7.6.jar
Spring Security
Library home page: https://spring.io/projects/spring-security
Path to dependency file: /backend/pom.xml
Path to vulnerable library: /backend/pom.xml
Dependency Hierarchy:
Found in HEAD commit: bce59864d461e9f2ff3bacfad1294f7c5fb707e3
Found in base branch: master
Vulnerability Details
Using "**" as a pattern in Spring Security configuration
for WebFlux creates a mismatch in pattern matching between Spring
Security and Spring WebFlux, and the potential for a security bypass.
Publish Date: 2023-07-19
URL: CVE-2023-34034
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2023-34034
Release Date: 2023-07-19
Fix Resolution (org.springframework.security:spring-security-config): 5.7.10
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-security): 2.7.14
Step up your Open Source Security Game with Mend here
CVE-2024-22257
Vulnerable Library - spring-security-core-5.7.6.jar
Spring Security
Library home page: https://spring.io/projects/spring-security
Path to dependency file: /backend/pom.xml
Path to vulnerable library: /backend/pom.xml
Dependency Hierarchy:
Found in HEAD commit: bce59864d461e9f2ff3bacfad1294f7c5fb707e3
Found in base branch: master
Vulnerability Details
In Spring Security, versions 5.7.x prior to 5.7.12, 5.8.x prior to
5.8.11, versions 6.0.x prior to 6.0.9, versions 6.1.x prior to 6.1.8,
versions 6.2.x prior to 6.2.3, an application is possible vulnerable to
broken access control when it directly uses the AuthenticatedVoter#vote passing a null Authentication parameter.
Publish Date: 2024-03-18
URL: CVE-2024-22257
CVSS 3 Score Details (8.2)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2024-22257
Release Date: 2024-03-18
Fix Resolution (org.springframework.security:spring-security-core): 5.7.12
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-security): 3.0.0
Step up your Open Source Security Game with Mend here
CVE-2023-20862
Vulnerable Library - spring-security-web-5.7.6.jar
Spring Security
Library home page: https://spring.io/projects/spring-security
Path to dependency file: /backend/pom.xml
Path to vulnerable library: /backend/pom.xml
Dependency Hierarchy:
Found in HEAD commit: bce59864d461e9f2ff3bacfad1294f7c5fb707e3
Found in base branch: master
Vulnerability Details
In Spring Security, versions 5.7.x prior to 5.7.8, versions 5.8.x prior to 5.8.3, and versions 6.0.x prior to 6.0.3, the logout support does not properly clean the security context if using serialized versions. Additionally, it is not possible to explicitly save an empty security context to the HttpSessionSecurityContextRepository. This vulnerability can keep users authenticated even after they performed logout. Users of affected versions should apply the following mitigation. 5.7.x users should upgrade to 5.7.8. 5.8.x users should upgrade to 5.8.3. 6.0.x users should upgrade to 6.0.3.
Publish Date: 2023-04-19
URL: CVE-2023-20862
CVSS 3 Score Details (6.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2023-20862
Release Date: 2023-04-19
Fix Resolution (org.springframework.security:spring-security-web): 5.7.8
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-security): 2.7.12
Step up your Open Source Security Game with Mend here
The text was updated successfully, but these errors were encountered: