VMware

Spring Security

38 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
  • EPSS 0.3%
  • Veröffentlicht 22.04.2026 05:08:41
  • Zuletzt bearbeitet 30.06.2026 03:17:27

Vulnerability in Spring Spring Security. SubjectX500PrincipalExtractor does not correctly handle certain malformed X.509 certificate CN values, which can lead to reading the wrong value for the username. In a carefully crafted certificate, this can l...

  • EPSS 0.22%
  • Veröffentlicht 22.04.2026 05:02:24
  • Zuletzt bearbeitet 24.04.2026 14:20:02

Vulnerability in Spring Spring Security. If an application is using the UserDetails#isEnabled, #isAccountNonExpired, or #isAccountNonLocked user attributes, to enable, expire, or lock users, then DaoAuthenticationProvider's timing attack defense can ...

  • EPSS 0.12%
  • Veröffentlicht 21.04.2026 18:30:35
  • Zuletzt bearbeitet 01.05.2026 12:11:12

Vulnerability in Spring Spring Security. Applications that explicitly configure One-Time Token login with JdbcOneTimeTokenService are vulnerable to a Time-of-check Time-of-use (TOCTOU) race condition. This issue affects Spring Security: from 6.4.0 th...

Medienbericht Exploit
  • EPSS 0.48%
  • Veröffentlicht 19.03.2026 22:47:38
  • Zuletzt bearbeitet 16.04.2026 04:29:24

When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written.  This issue affects Spring Security Servlet applications using lazy (default) writing ...

  • EPSS 0.43%
  • Veröffentlicht 16.09.2025 10:10:59
  • Zuletzt bearbeitet 15.04.2026 00:35:42

The Spring Security annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue when using @PreAuthorize and other method securi...

  • EPSS 0.39%
  • Veröffentlicht 02.12.2024 15:15:11
  • Zuletzt bearbeitet 15.04.2026 00:35:42

The usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in authorization rules not working properly.

  • EPSS 0.43%
  • Veröffentlicht 20.08.2024 04:15:07
  • Zuletzt bearbeitet 28.02.2025 22:37:56

Missing Authorization When Using @AuthorizeReturnObject in Spring Security 6.3.0 and 6.3.1 allows attacker to render security annotations inaffective.

  • EPSS 0.68%
  • Veröffentlicht 20.02.2024 07:15:09
  • Zuletzt bearbeitet 02.04.2025 20:10:31

In Spring Security, versions 6.1.x prior to 6.1.7 and versions 6.2.x prior to 6.2.2, an application is vulnerable to broken access control when it directly uses the AuthenticationTrustResolver.isFullyAuthenticated(Authentication) method. Specificall...

  • EPSS 0.22%
  • Veröffentlicht 05.02.2024 22:15:55
  • Zuletzt bearbeitet 03.06.2025 19:15:32

The spring-security.xsd file inside the spring-security-config jar is world writable which means that if it were extracted it could be written by anyone with access to the file system. While there are no known exploits, this is an example of “CWE...

  • EPSS 3.47%
  • Veröffentlicht 19.07.2023 15:15:11
  • Zuletzt bearbeitet 21.11.2024 08:06:26

Using "**" as a pattern in Spring Security configuration for WebFlux creates a mismatch in pattern matching between Spring Security and Spring WebFlux, and the potential for a security bypass.