Vulnerabilities > Vmware > Spring Security
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-06-29 | CVE-2021-22119 | Incorrect Authorization vulnerability in multiple products Spring Security versions 5.5.x prior to 5.5.1, 5.4.x prior to 5.4.7, 5.3.x prior to 5.3.10 and 5.2.x prior to 5.2.11 are susceptible to a Denial-of-Service (DoS) attack via the initiation of the Authorization Request in an OAuth 2.0 Client Web and WebFlux application. | 7.5 |
| 2021-02-23 | CVE-2021-22112 | Spring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE, and older unsupported versions can fail to save the SecurityContext if it is changed more than once in a single request.A malicious user cannot cause the bug to happen (it must be programmed in). | 8.8 |
| 2020-05-14 | CVE-2020-5408 | Use of Insufficiently Random Values vulnerability in multiple products Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. | 6.5 |
| 2019-06-26 | CVE-2019-11272 | Insufficiently Protected Credentials vulnerability in multiple products Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. | 7.3 |
| 2019-04-09 | CVE-2019-3795 | Use of Insufficiently Random Values vulnerability in multiple products Spring Security versions 4.2.x prior to 4.2.12, 5.0.x prior to 5.0.12, and 5.1.x prior to 5.1.5 contain an insecure randomness vulnerability when using SecureRandomFactoryBean#setSeed to configure a SecureRandom instance. | 5.3 |
| 2018-03-16 | CVE-2018-1199 | Improper Input Validation vulnerability in multiple products Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3) does not consider URL path parameters when processing security constraints. | 5.3 |
| 2017-11-27 | CVE-2017-4995 | Deserialization of Untrusted Data vulnerability in VMWare Spring Security An issue was discovered in Pivotal Spring Security 4.2.0.RELEASE through 4.2.2.RELEASE, and Spring Security 5.0.0.M1. | 8.1 |
| 2017-05-25 | CVE-2016-5007 | Permissions, Privileges, and Access Controls vulnerability in multiple products Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. | 7.5 |
| 2017-05-25 | CVE-2014-3527 | Improper Authentication vulnerability in VMWare Spring Security When using the CAS Proxy ticket authentication from Spring Security 3.1 to 3.2.4 a malicious CAS Service could trick another CAS Service into authenticating a proxy ticket that was not associated. | 9.8 |
| 2017-05-25 | CVE-2014-0097 | Improper Authentication vulnerability in VMWare Spring Security The ActiveDirectoryLdapAuthenticator in Spring Security 3.2.0 to 3.2.1 and 3.1.0 to 3.1.5 does not check the password length. | 7.3 |