VMware

Spring Security

31 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
7.5

CVE-2026-22754

Medienbericht
  • EPSS 0.05%
  • Veröffentlicht 22.04.2026 05:32:48
  • Zuletzt bearbeitet 24.04.2026 14:16:07

Vulnerability in Spring Spring Security. If an application uses <sec:intercept-url servlet-path="/servlet-path" pattern="/endpoint/**"/> to define the servlet path for computing a path matcher, then the servlet path is not included and the related au...

7.5

CVE-2026-22753

Medienbericht
  • EPSS 0.07%
  • Veröffentlicht 22.04.2026 05:20:31
  • Zuletzt bearbeitet 24.04.2026 14:17:02

Vulnerability in Spring Spring Security. If an application is using securityMatchers(String) and a PathPatternRequestMatcher.Builder bean to prepend a servlet path, matching requests to that filter chain may fail and its related security components w...

6.5

CVE-2026-22748

  • EPSS 0.06%
  • Veröffentlicht 22.04.2026 05:15:03
  • Zuletzt bearbeitet 24.04.2026 14:18:17

Vulnerability in Spring Spring Security. When an application configures JWT decoding with NimbusJwtDecoder  or NimbusReactiveJwtDecoder, it must configure an OAuth2TokenValidator<Jwt> separately, for example by calling setJwtValidator.This issue affe...

8.1

CVE-2026-22747

  • EPSS 0.03%
  • Veröffentlicht 22.04.2026 05:08:41
  • Zuletzt bearbeitet 24.04.2026 14:18:56

Vulnerability in Spring Spring Security. SubjectX500PrincipalExtractor does not correctly handle certain malformed X.509 certificate CN values, which can lead to reading the wrong value for the username. In a carefully crafted certificate, this can l...

3.7

CVE-2026-22746

  • EPSS 0.05%
  • Veröffentlicht 22.04.2026 05:02:24
  • Zuletzt bearbeitet 24.04.2026 14:20:02

Vulnerability in Spring Spring Security. If an application is using the UserDetails#isEnabled, #isAccountNonExpired, or #isAccountNonLocked user attributes, to enable, expire, or lock users, then DaoAuthenticationProvider's timing attack defense can ...

4.8

CVE-2026-22751

  • EPSS 0.04%
  • Veröffentlicht 21.04.2026 18:30:35
  • Zuletzt bearbeitet 01.05.2026 12:11:12

Vulnerability in Spring Spring Security. Applications that explicitly configure One-Time Token login with JdbcOneTimeTokenService are vulnerable to a Time-of-check Time-of-use (TOCTOU) race condition. This issue affects Spring Security: from 6.4.0 th...

9.1

CVE-2026-22732

Medienbericht Exploit
  • EPSS 0.03%
  • Veröffentlicht 19.03.2026 22:47:38
  • Zuletzt bearbeitet 16.04.2026 04:29:24

When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written.  This issue affects Spring Security Servlet applications using lazy (default) writing ...

7.5

CVE-2025-41248

  • EPSS 0.06%
  • Veröffentlicht 16.09.2025 10:10:59
  • Zuletzt bearbeitet 15.04.2026 00:35:42

The Spring Security annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue when using @PreAuthorize and other method securi...

4.8

CVE-2024-38827

  • EPSS 0.4%
  • Veröffentlicht 02.12.2024 15:15:11
  • Zuletzt bearbeitet 15.04.2026 00:35:42

The usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in authorization rules not working properly.

7.5

CVE-2024-38810

  • EPSS 0.97%
  • Veröffentlicht 20.08.2024 04:15:07
  • Zuletzt bearbeitet 28.02.2025 22:37:56

Missing Authorization When Using @AuthorizeReturnObject in Spring Security 6.3.0 and 6.3.1 allows attacker to render security annotations inaffective.