We have released Spring Security 4.2.13 to address CVE-2019-11272: PlaintextPasswordEncoder authenticates encoded passwords that are null.

Users are encouraged to update immediately.

With Spring Boot, you can override the Spring Security version in Maven like so:

Or in Gradle like so:

Note that users of Spring Security 5+ are not affected by this vulnerability.

We have released Spring Security OAuth 2.3.6, 2.2.5, 2.1.5 and 2.0.18 to address CVE-2019-11269: Open Redirector in spring-security-oauth2. Please review the information in the CVE report and upgrade immediately.

For additional changes included in each release, please refer to:

NOTE: For users of Spring Boot 1.5.x and Spring IO Platform Cairo, it is highly recommended to override the spring-security-oauth version to the latest version containing the fix for the CVE. Please see the Mitigation section in the CVE report for detailed instructions on how to override the version.

On behalf of the community, I’m pleased to announce the release of Spring Security 5.2.0.M2! This release includes 100+ updates. You can find the highlights below:

We have released Spring Security 4.2.12, 5.0.12, and 5.1.5 to address CVE-2019-3795: Insecure Randomness with SecureRandomFactoryBean. Users are encouraged to update immediately.

On behalf of the community I am pleased to announce the release of Spring Security 5.1.4 (changelog). This release provides a round of bug fixes and users are encouraged to update to the latest patch release.

Project Site | Reference | Help

On behalf of the community I am pleased to announce the release of Spring Security 5.1.3 (changelog), 5.0.11 (changelog), and 4.2.11 (changelog). This series of releases provides a round of bug fixes and users are encouraged to update to the latest patch release.

Project Site | Reference | Help

I’m pleased to announce on behalf of the community Spring Security OAuth2 Boot Auto-config 2.0.6 and 2.1.0.

Both releases primarily deliver bug fixes and dependency version updates along with some minor improvements. Of particular note is that these align with recent releases of Spring Boot.

Note that for 2.1.0, gaps in configuration of keys between Resource Server and Authorization Server were brought into parity. Now, it’s possible on the Authorization Server side to configure a single key:

On behalf of the community, I am pleased to announce that the Spring Security 5.0.8 (changelog) and 4.2.8 (changelog) have been released. The releases primarily deliver bug fixes and dependency version updates along with some minor improvements. The releases will be found in the upcoming Spring Boot maintenance releases coming this week.

Project Site | 4.x Reference | 5.x Reference | Help

On behalf of the community I am pleased to announce the release of Spring Security 5.1.0.RC2. This release comes with 50+ tickets closed.

As always we look forward to hearing your feedback! You can find the highlights below:

I’m pleased to announce on behalf of the community Spring Security OAuth2 Boot Auto-config 2.0.4 and 2.1.0.M2.

Both releases primarily deliver bug fixes and dependency version updates along with some minor improvements. Of particular note is that these align with recent releases of Spring Boot.

For a complete list of changes, please refer to the 2.0.4 changelog and 2.1.0.M2 changelog.

Project Site | Reference | Help