CVE-2011-2731 – org.springframework.security:spring-security-core

Package

Manager: maven
Name: org.springframework.security:spring-security-core
Vulnerable Version: >=0 <2.0.7 || >=3.0.0 <3.0.6

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:P/RL:O/RC:R

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00295 pctl0.52339

Details

Concurrent Execution using Shared Resource with Improper Synchronization in Spring Security Race condition in the RunAsManager mechanism in VMware SpringSource Spring Security before 2.0.7 and 3.0.x before 3.0.6 stores the Authentication object in the shared security context, which allows attackers to gain privileges via a crafted thread.

Metadata

Created: 2022-05-17T04:59:50Z
Modified: 2022-07-13T17:46:37Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-4644-hg35-55m9/GHSA-4644-hg35-55m9.json
CWE IDs: ["CWE-362"]
Alternative ID: GHSA-4644-hg35-55m9
Finding: F124
Auto approve: 1