CVE-2011-2732 – org.springframework.security:spring-security-core

Package

Manager: maven
Name: org.springframework.security:spring-security-core
Vulnerable Version: >=0 <2.0.7 || >=3.0.0 <3.0.6

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N/E:H/RL:U/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

EPSS: 0.06199 pctl0.90486

Details

Improper Control of Generation of Code in Spring Security CRLF injection vulnerability in the logout functionality in VMware SpringSource Spring Security before 2.0.7 and 3.0.x before 3.0.6 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the spring-security-redirect parameter.

Metadata

Created: 2022-05-17T05:18:15Z
Modified: 2022-07-13T17:56:38Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-5xm9-rf63-wj7h/GHSA-5xm9-rf63-wj7h.json
CWE IDs: ["CWE-94"]
Alternative ID: GHSA-5xm9-rf63-wj7h
Finding: F422
Auto approve: 1