logo

Database

Out-of-bounds read In org.springframework.security:spring-security-core

Description

Integer overflow in BCrypt class in Spring Security Spring Security versions 5.5.x prior to 5.5.7, 5.6.x prior to 5.6.4, and earlier unsupported versions contain an integer overflow vulnerability. When using the BCrypt class with the maximum work factor (31), the encoder does not perform any salt rounds, due to an integer overflow error. The default settings are not affected by this CVE.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2022-229762. NVD-2022-229763. OSV-2022-229764. GCVE-2022-22976

References

1. https://github.com/spring-projects/spring-security/commit/388a7b62b906bd56deadb7ca45248fa1a63bdf122. https://github.com/spring-projects/spring-security/commit/a40f73521c0dd88b879ff6165d280e78bdf8154f3. https://security.netapp.com/advisory/ntap-20220707-00034. https://tanzu.vmware.com/security/cve-2022-229765. https://www.oracle.com/security-alerts/cpujul2022.html6. https://github.com/spring-io/cve-2022-22976-bcrypt-skips-salt

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.