In Spring Vault, versions 3.0.x prior to 3.0.2 and versions 2.3.x prior to 2.3.3 and older versions, an application is vulnerable to insertion of sensitive information into a log file when it attempts to revoke a Vault batch token.
Specifically, an application is vulnerable when all of the following are true:
The authentication mechanism creates Batch tokens.
Usage of LifecycleAwareSessionManager in an imperative-only arrangement.
LifecycleAwareSessionManager.destroy() is called by the application or the application shutdown hook
The logging level for LifecycleAwareSessionManager or org.springframework.vault.authentication is set at least to WARN…
Spring Tools 4 for Eclipse version 4.16.0 and below as well as VSCode extensions such as Spring Boot Tools, Concourse CI Pipeline Editor, Bosh Editor and Cloudfoundry Manifest YML Support version 1.39.0 and below all use Snakeyaml library for YAML…
Spring Security, versions 5.7 prior to 5.7.5, and 5.6 prior to 5.6.9, and older unsupported versions could be susceptible to a privilege escalation under certain conditions. A malicious user or attacker can modify a request initiated by the Client…
Spring Security, versions 5.7 prior to 5.7.5 and 5.6 prior to 5.6.9 could be susceptible to authorization rules bypass via forward or include dispatcher types.
Specifically, an application is vulnerable when all of the following are true:
Reactor Netty HTTP Server, in versions 1.0.11 - 1.0.23, may log request headers in some cases of invalid HTTP requests. The logged headers may reveal valid access tokens to those with access to server logs. This may affect only invalid HTTP…
Applications that allow HTTP PATCH access to resources exposed by Spring Data REST in versions 3.6.0 - 3.6.5, 3.7.0 - 3.7.2, and older unsupported versions, if an attacker knows about the structure of the underlying domain model, they can craft…
A Spring Data MongoDB application is vulnerable to SpEL Injection when using @Query or @Aggregation-annotated query methods with SpEL expressions that contain query parameter placeholders for value binding if the input is not sanitized.
In Spring Cloud Function versions 3.2.5 and older unsupported versions, it is possible for a user who directly interacts with framework provided lookup functionality to cause denial of service condition due to the caching issue in Function Catalog…
Spring Security versions 5.5.x prior to 5.5.7, 5.6.x prior to 5.6.4, and earlier unsupported versions contain an integer overflow vulnerability. When using the BCrypt class with the maximum work factor (31), the encoder does not perform any salt rounds, due to an integer overflow error.
The default settings are not affected by this CVE.
Only in circumstances where the BCryptPasswordEncoder has been configured with the maximum work factor are affected. Due to current limitations in computer hardware, the use of such a high work factor is computationally impractical.
You need to be using BCrypt with a work factor of 31 to be impacted. You can check whether or not your passwords are impacted by using the following mitigation tool.
Affected Spring Products and Versions
Spring Security
5.5.x prior to 5.5.7
5.6.x prior to 5.6.4
Earlier unsupported versions
Mitigation
Prior to updating to the latest, please update your BCryptPasswordEncoder to use a lower number of rounds. At the time of this writing, OWASP recommends a value of 10.
Then, use the above-referenced mitigation tool to update your password hashes.
Once your password hashes are updated, you should update your version according to the following: 5.5.x users should upgrade to 5.5.7, 5.6.x users should upgrade to 5.6.4, or users should upgrade to 5.7.0. After upgrading your Spring Security dependency, you should advise affected users to change their password.
In Spring Security versions 5.4.10, 5.5.6, and 5.6.3 and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers.
Applications using RegexRequestMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.
Affected Spring Products and Versions
Spring Security
5.4.x prior to 5.4.11
5.5.x prior to 5.5.7
5.6.x prior to 5.6.4
Earlier unsupported versions
Mitigation
Users should update to a version that includes fixes. 5.5.x users should upgrade to 5.5.7 or greater. 5.6.x users should upgrade to 5.6.4 or greater. Releases that have fixed this issue include:
