VMware

Spring Security

38 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
  • EPSS 1.88%
  • Veröffentlicht 09.04.2019 16:29:01
  • Zuletzt bearbeitet 21.11.2024 04:42:33

Spring Security versions 4.2.x prior to 4.2.12, 5.0.x prior to 5.0.12, and 5.1.x prior to 5.1.5 contain an insecure randomness vulnerability when using SecureRandomFactoryBean#setSeed to configure a SecureRandom instance. In order to be impacted, an ...

  • EPSS 2.86%
  • Veröffentlicht 16.03.2018 20:29:00
  • Zuletzt bearbeitet 21.11.2024 03:59:22

Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3) does not consider URL path parameters when processing security constraints. By adding a ...

  • EPSS 2.55%
  • Veröffentlicht 27.11.2017 10:29:00
  • Zuletzt bearbeitet 13.05.2026 00:24:29

An issue was discovered in Pivotal Spring Security 4.2.0.RELEASE through 4.2.2.RELEASE, and Spring Security 5.0.0.M1. When configured to enable default typing, Jackson contained a deserialization vulnerability that could lead to arbitrary code execut...

  • EPSS 2.84%
  • Veröffentlicht 25.05.2017 17:29:00
  • Zuletzt bearbeitet 13.05.2026 00:24:29

Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching me...

  • EPSS 1.81%
  • Veröffentlicht 25.05.2017 17:29:00
  • Zuletzt bearbeitet 13.05.2026 00:24:29

When using the CAS Proxy ticket authentication from Spring Security 3.1 to 3.2.4 a malicious CAS Service could trick another CAS Service into authenticating a proxy ticket that was not associated. This is due to the fact that the proxy ticket authent...

  • EPSS 1.21%
  • Veröffentlicht 25.05.2017 17:29:00
  • Zuletzt bearbeitet 13.05.2026 00:24:29

The ActiveDirectoryLdapAuthenticator in Spring Security 3.2.0 to 3.2.1 and 3.1.0 to 3.1.5 does not check the password length. If the directory allows anonymous binds then it may incorrectly authenticate a user who supplies an empty password.

  • EPSS 1.42%
  • Veröffentlicht 06.01.2017 22:59:00
  • Zuletzt bearbeitet 06.05.2026 22:30:45

An issue was discovered in Pivotal Spring Security before 3.2.10, 4.1.x before 4.1.4, and 4.2.x before 4.2.1. Spring Security does not consider URL path parameters when processing security constraints. By adding a URL path parameter with an encoded "...

  • EPSS 8.53%
  • Veröffentlicht 04.10.2011 10:55:09
  • Zuletzt bearbeitet 16.06.2026 23:32:12

Spring Framework 3.0.0 through 3.0.5, Spring Security 3.0.0 through 3.0.5 and 2.0.0 through 2.0.6, and possibly other versions deserialize objects from untrusted sources, which allows remote attackers to bypass intended security restrictions and exec...