CVE-2014-3527 Fixed in Spring Security 3.2.5 and 3.1.7

Releases | Rob Winch | August 15, 2014 | ...

Spring Security 3.2.5 (change log) and 3.1.7 (change log) have been released and are available in Maven Central. Important highlights of this release are:

  • This release contains a fix for CVE-2014-3527 which resolves an issue where a malicious CAS Service can impersonate another CAS Service when using proxy tickets.
  • This release updates the transitive dependencies of the cas module to cas-client-core which has a fix for CVE-2014-4172. This issue was not in Spring Security itself, but the library in which it depends on.

A special thanks to Scott Battaglia & the rest of the CAS team for relaying CVE-2014-3527 to the Spring Security team and coordinating with the Spring Security team on the CAS release to resolve CVE-2014-4172.

SpringOne 2GX 2014 is around the corner

Book your place at SpringOne in Dallas, TX for Sept 8-11 soon. It's simply the best opportunity to find out first hand all that's going on and to provide direct feedback. There will be deep dive sessions on the latest updates to Spring, Groovy, and Grails!

Get the Spring newsletter

Thank you!

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Spring Runtime offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all