Spring Security Advisories

CVE-2023-20861: Spring Expression DoS Vulnerability

MEDIUM | MARCH 24, 2023 | CVE-2023-20861

In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.

CVE-2023-20859: Insertion of Sensitive Information into Log Sourced from Failed Revocation of Tokens

MEDIUM | MARCH 20, 2023 | CVE-2023-20859

In Spring Vault, versions 3.0.x prior to 3.0.2 and versions 2.3.x prior to 2.3.3 and older versions, an application is vulnerable to insertion of sensitive information into a log file when it attempts to revoke a Vault batch token.

Specifically, an application is vulnerable when all of the following are true:

  • The authentication mechanism creates Batch tokens.
  • Usage of LifecycleAwareSessionManager in an imperative-only arrangement.
  • LifecycleAwareSessionManager.destroy() is called by the application or the application shutdown hook
  • The logging level for LifecycleAwareSessionManager or org.springframework.vault.authentication is set at least to WARN

CVE-2022-22979: Spring Cloud Function Dos Vulnerability

HIGH | JUNE 15, 2022 | CVE-2022-22979

In Spring Cloud Function versions 3.2.5 and older unsupported versions, it is possible for a user who directly interacts with framework provided lookup functionality to cause denial of service condition due to the caching issue in Function Catalog…

CVE-2022-22976: BCrypt skips salt rounds for work factor of 31

MEDIUM | MAY 17, 2022 | CVE-2022-22976

Spring Security versions 5.5.x prior to 5.5.7, 5.6.x prior to 5.6.4, and earlier unsupported versions contain an integer overflow vulnerability. When using the BCrypt class with the maximum work factor (31), the encoder does not perform any salt rounds, due to an integer overflow error.

The default settings are not affected by this CVE.

Only in circumstances where the BCryptPasswordEncoder has been configured with the maximum work factor are affected. Due to current limitations in computer hardware, the use of such a high work factor is computationally impractical.

You need to be using BCrypt with a work factor of 31 to be impacted. You can check whether or not your passwords are impacted by using the following mitigation tool.

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Spring Runtime offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all