CVE-2022-22976 – org.springframework.security:spring-security-core

Package

Manager: maven
Name: org.springframework.security:spring-security-core
Vulnerable Version: >=5.2.0.release <5.5.7 || >=5.6.0 <5.6.4

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00365 pctl0.57749

Details

Integer overflow in BCrypt class in Spring Security Spring Security versions 5.5.x prior to 5.5.7, 5.6.x prior to 5.6.4, and earlier unsupported versions contain an integer overflow vulnerability. When using the BCrypt class with the maximum work factor (31), the encoder does not perform any salt rounds, due to an integer overflow error. The default settings are not affected by this CVE.

Metadata

Created: 2022-05-20T00:00:38Z
Modified: 2024-06-13T21:48:35Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-wx54-3278-m5g4/GHSA-wx54-3278-m5g4.json
CWE IDs: ["CWE-190"]
Alternative ID: GHSA-wx54-3278-m5g4
Finding: F111
Auto approve: 1