Fluid Attacks Database

Description

Concurrent Execution using Shared Resource with Improper Synchronization in Spring Security Race condition in the RunAsManager mechanism in VMware SpringSource Spring Security before 2.0.7 and 3.0.x before 3.0.6 stores the Authentication object in the shared security context, which allows attackers to gain privileges via a crafted thread.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
maven	org.springframework.security:spring-security-core	>=0 <2.0.7 \|\| >=3.0.0 <3.0.6	2.0.7, 3.0.6

Aliases

1. CVE-2011-27312. NVD-2011-27313. OSV-2011-27314. GCVE-2011-2731

References

1. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=6778142. http://support.springsource.com/security/cve-2011-2731

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.