CVE-2025-22228: Spring Security BCryptPasswordEncoder does not enforce maximum password length

HIGH | MARCH 19, 2025 | CVE-2025-22228

Description

BCryptPasswordEncoder.matches(CharSequence,String) will incorrectly return true for passwords larger than 72 characters as long as the first 72 characters are the same.

Affected Spring Products and Versions

Spring Security:

  • 5.7.0 - 5.7.15
  • 5.8.0 - 5.8.17
  • 6.0.0 - 6.0.15
  • 6.1.0 - 6.1.13
  • 6.2.0 - 6.2.9
  • 6.3.0 - 6.3.7
  • 6.4.0 - 6.4.3
  • Older, unsupported versions are also affected

CVE-2024-38829: Spring LDAP Spring LDAP sensitive data exposure for case-sensitive comparisons

LOW | NOVEMBER 19, 2024 | CVE-2024-38829

Description

The usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in unintended columns from being queried

Related to CVE-2024-38820

Affected Spring Products and Versions

Spring LDAP:

  • 2.4.0 - 2.4.3
  • 3.0.0 - 3.0.9
  • 3.1.0 - 3.1.7
  • 3.2.0 - 3.2.7
  • Older, unsupported versions are also affected

Authorization Bypass of Static Resources in WebFlux Applications

CRITICAL | OCTOBER 22, 2024 | CVE-2024-38821

Description

Spring WebFlux applications that have Spring Security authorization rules on static resources can be bypassed under certain circumstances.

For this to impact an application, all of the following must be true:

  • It must be a WebFlux application
  • It must be using Spring's static resources support
  • It must have a non-permitAll authorization rule applied to the static resources support

CVE-2024-38810: Missing Authorization When Using @AuthorizeReturnObject

HIGH | AUGUST 19, 2024 | CVE-2024-38810

Description

Applications using @AuthorizeReturnObject or the Spring Security produced AuthorizationAdvisorProxyFactory @Bean to wrap objects may not have all security advice applied.

When method security advice is not applied, it means that annotations like @PreFilter and @PreAuthorize may take no affect…

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all