spring-security-web-4.2.12.RELEASE.jar: 9 vulnerabilities (highest severity is: 9.1) reachable #21
Description
Vulnerable Library - spring-security-web-4.2.12.RELEASE.jar
spring-security-web
Library home page: https://spring.io/spring-security
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/security/spring-security-web/4.2.12.RELEASE/spring-security-web-4.2.12.RELEASE.jar
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Exploit Maturity | EPSS | Dependency | Type | Fixed in (spring-security-web version) | Remediation Possible** | Reachability |
|---|---|---|---|---|---|---|---|---|---|
| CVE-2024-38821 |  Critical |
9.1 | Not Defined | 17.4% | spring-security-web-4.2.12.RELEASE.jar | Direct | org.springframework.security:spring-security-web:6.3.4,org.springframework.security:spring-security-web:5.8.15,org.springframework.security:spring-security-web:6.2.7,https://github.com/spring-projects/spring-security.git - 5.7.13,https://github.com/spring-projects/spring-security.git - 5.8.15,https://github.com/spring-projects/spring-security.git - 6.2.7,org.springframework.security:spring-security-web:5.7.13,https://github.com/spring-projects/spring-security.git - 6.3.4 | ✅ |
|
| CVE-2024-22257 |  High |
8.2 | Not Defined | 0.3% | spring-security-core-4.2.1.RELEASE.jar | Transitive | 5.7.12 | ✅ |
|
| CVE-2019-11272 | High |
7.3 | Not Defined | 0.4% | spring-security-core-4.2.1.RELEASE.jar | Transitive | N/A* | ❌ |
|
| WS-2017-3767 |  Medium |
6.3 | Not Defined | spring-security-web-4.2.12.RELEASE.jar | Direct | 4.2.15.RELEASE | ✅ |
|
|
| WS-2020-0293 | Medium |
5.9 | Not Defined | spring-security-web-4.2.12.RELEASE.jar | Direct | 5.2.9.RELEASE | ✅ |
|
|
| WS-2016-7107 | Medium |
5.9 | Not Defined | spring-security-web-4.2.12.RELEASE.jar | Direct | 5.2.14.RELEASE | ✅ |
|
|
| CVE-2024-38827 | Medium |
4.8 | Not Defined | 0.1% | detected in multiple dependencies | Direct | 5.7.14 | ✅ |
|
| CVE-2020-5408 | Medium |
6.5 | Not Defined | 0.5% | spring-security-core-4.2.1.RELEASE.jar | Transitive | N/A* | ❌ |
|
| CVE-2019-3795 | Medium |
5.3 | Not Defined | 2.0% | spring-security-core-4.2.1.RELEASE.jar | Transitive | N/A* | ❌ |
|
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2024-38821
Vulnerable Library - spring-security-web-4.2.12.RELEASE.jar
spring-security-web
Library home page: https://spring.io/spring-security
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/security/spring-security-web/4.2.12.RELEASE/spring-security-web-4.2.12.RELEASE.jar
Dependency Hierarchy:
- ❌ spring-security-web-4.2.12.RELEASE.jar (Vulnerable Library)
Found in base branch: master
Reachability Analysis
This vulnerability is potentially reachable
org.joychou.security.WebSecurityConfig (Application)
-> org.springframework.security.config.annotation.web.builders.HttpSecurity (Extension)
-> org.springframework.security.config.annotation.web.configurers.JeeConfigurer (Extension)
-> ❌ org.springframework.security.web.authentication.preauth.j2ee.J2eeBasedPreAuthenticatedWebAuthenticationDetailsSource (Vulnerable Component)
Vulnerability Details
Spring WebFlux applications that have Spring Security authorization rules on static resources can be bypassed under certain circumstances.
For this to impact an application, all of the following must be true: It must be a WebFlux application, It must be using Spring's static resources support, and it must have a non-permitAll authorization rule applied to the static resources support.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2024-10-28
URL: CVE-2024-38821
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 17.4%
CVSS 3 Score Details (9.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-c4q5-6c82-3qpw
Release Date: 2024-10-28
Fix Resolution: org.springframework.security:spring-security-web:6.3.4,org.springframework.security:spring-security-web:5.8.15,org.springframework.security:spring-security-web:6.2.7,https://github.com/spring-projects/spring-security.git - 5.7.13,https://github.com/spring-projects/spring-security.git - 5.8.15,https://github.com/spring-projects/spring-security.git - 6.2.7,org.springframework.security:spring-security-web:5.7.13,https://github.com/spring-projects/spring-security.git - 6.3.4
In order to enable automatic remediation, please create workflow rules
CVE-2024-22257
Vulnerable Library - spring-security-core-4.2.1.RELEASE.jar
spring-security-core
Library home page: http://spring.io/spring-security
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/security/spring-security-core/4.2.1.RELEASE/spring-security-core-4.2.1.RELEASE.jar
Dependency Hierarchy:
- spring-security-web-4.2.12.RELEASE.jar (Root Library)
- ❌ spring-security-core-4.2.1.RELEASE.jar (Vulnerable Library)
Found in base branch: master
Reachability Analysis
This vulnerability is potentially reachable
org.joychou.security.WebSecurityConfig (Application)
-> org.springframework.boot.actuate.autoconfigure.ManagementWebSecurityAutoConfiguration$ManagementWebSecurityConfigurerAdapter (Extension)
-> org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer (Extension)
-> org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler (Extension)
-> org.springframework.security.web.access.expression.WebSecurityExpressionRoot (Extension)
-> ❌ org.springframework.security.access.expression.SecurityExpressionRoot (Vulnerable Component)
Vulnerability Details
In Spring Security, versions 5.7.x prior to 5.7.12, 5.8.x prior to
5.8.11, versions 6.0.x prior to 6.0.9, versions 6.1.x prior to 6.1.8,
versions 6.2.x prior to 6.2.3, an application is possible vulnerable to
broken access control when it directly uses the AuthenticatedVoter#vote passing a null Authentication parameter.
Publish Date: 2024-03-18
URL: CVE-2024-22257
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.3%
CVSS 3 Score Details (8.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-f3jh-qvm4-mg39
Release Date: 2024-03-18
Fix Resolution (org.springframework.security:spring-security-core): 5.7.12
Direct dependency fix Resolution (org.springframework.security:spring-security-web): 5.7.12
In order to enable automatic remediation, please create workflow rules
CVE-2019-11272
Vulnerable Library - spring-security-core-4.2.1.RELEASE.jar
spring-security-core
Library home page: http://spring.io/spring-security
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/security/spring-security-core/4.2.1.RELEASE/spring-security-core-4.2.1.RELEASE.jar
Dependency Hierarchy:
- spring-security-web-4.2.12.RELEASE.jar (Root Library)
- ❌ spring-security-core-4.2.1.RELEASE.jar (Vulnerable Library)
Found in base branch: master
Reachability Analysis
This vulnerability is potentially reachable
org.joychou.security.WebSecurityConfig (Application)
-> org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter$3 (Extension)
-> org.springframework.security.config.annotation.authentication.configurers.ldap.LdapAuthenticationProviderConfigurer (Extension)
-> ❌ org.springframework.security.authentication.encoding.PlaintextPasswordEncoder (Vulnerable Component)
Vulnerability Details
Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of "null".
Publish Date: 2019-06-26
URL: CVE-2019-11272
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.4%
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: GHSA-v33x-prhc-gph5
Release Date: 2019-06-26
Fix Resolution: org.springframework.security:spring-security-cas:4.2.13.RELEASE
WS-2017-3767
Vulnerable Library - spring-security-web-4.2.12.RELEASE.jar
spring-security-web
Library home page: https://spring.io/spring-security
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/security/spring-security-web/4.2.12.RELEASE/spring-security-web-4.2.12.RELEASE.jar
Dependency Hierarchy:
- ❌ spring-security-web-4.2.12.RELEASE.jar (Vulnerable Library)
Found in base branch: master
Reachability Analysis
This vulnerability is potentially reachable
org.joychou.security.WebSecurityConfig (Application)
-> org.springframework.security.config.annotation.web.builders.HttpSecurity (Extension)
-> org.springframework.security.config.annotation.web.builders.FilterComparator (Extension)
-> ❌ org.springframework.security.web.authentication.switchuser.SwitchUserFilter (Vulnerable Component)
Vulnerability Details
Cross-Site Request Forgery (CSRF) vulnerability was found in spring-security before 4.2.15, 5.0.15, 5.1.9, 5.2.3, and 5.3.1. SwitchUserFilter responds to all HTTP methods, making it vulnerable to CSRF attacks.
Publish Date: 2017-01-03
URL: WS-2017-3767
Threat Assessment
Exploit Maturity: Not Defined
EPSS:
CVSS 3 Score Details (6.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Release Date: 2017-01-03
Fix Resolution: 4.2.15.RELEASE
In order to enable automatic remediation, please create workflow rules
WS-2020-0293
Vulnerable Library - spring-security-web-4.2.12.RELEASE.jar
spring-security-web
Library home page: https://spring.io/spring-security
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/security/spring-security-web/4.2.12.RELEASE/spring-security-web-4.2.12.RELEASE.jar
Dependency Hierarchy:
- ❌ spring-security-web-4.2.12.RELEASE.jar (Vulnerable Library)
Found in base branch: master
Reachability Analysis
This vulnerability is potentially reachable
org.joychou.security.WebSecurityConfig (Application)
-> org.springframework.security.web.csrf.CsrfFilter$DefaultRequiresCsrfMatcher (Extension)
-> ❌ org.springframework.security.web.csrf.CsrfFilter (Vulnerable Component)
Vulnerability Details
Spring Security before 5.2.9, 5.3.7, and 5.4.3 vulnerable to side-channel attacks. Vulnerable versions of Spring Security don't use constant time comparisons for CSRF tokens.
Publish Date: 2020-12-17
URL: WS-2020-0293
Threat Assessment
Exploit Maturity: Not Defined
EPSS:
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2020-12-17
Fix Resolution: 5.2.9.RELEASE
In order to enable automatic remediation, please create workflow rules
WS-2016-7107
Vulnerable Library - spring-security-web-4.2.12.RELEASE.jar
spring-security-web
Library home page: https://spring.io/spring-security
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/security/spring-security-web/4.2.12.RELEASE/spring-security-web-4.2.12.RELEASE.jar
Dependency Hierarchy:
- ❌ spring-security-web-4.2.12.RELEASE.jar (Vulnerable Library)
Found in base branch: master
Reachability Analysis
This vulnerability is potentially reachable
org.joychou.controller.Jsonp (Application)
-> ❌ org.springframework.security.web.csrf.CookieCsrfTokenRepository (Vulnerable Component)
Vulnerability Details
CSRF tokens in Spring Security are vulnerable to a breach attack. Spring Security always returns the same CSRF token to the browser.
Publish Date: 2016-08-02
URL: WS-2016-7107
Threat Assessment
Exploit Maturity: Not Defined
EPSS:
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://www.mend.io/vulnerability-database/WS-2016-7107
Release Date: 2016-08-02
Fix Resolution: 5.2.14.RELEASE
In order to enable automatic remediation, please create workflow rules
CVE-2024-38827
Vulnerable Libraries - spring-security-web-4.2.12.RELEASE.jar, spring-security-core-4.2.1.RELEASE.jar
spring-security-web-4.2.12.RELEASE.jar
spring-security-web
Library home page: https://spring.io/spring-security
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/security/spring-security-web/4.2.12.RELEASE/spring-security-web-4.2.12.RELEASE.jar
Dependency Hierarchy:
- ❌ spring-security-web-4.2.12.RELEASE.jar (Vulnerable Library)
spring-security-core-4.2.1.RELEASE.jar
spring-security-core
Library home page: http://spring.io/spring-security
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/security/spring-security-core/4.2.1.RELEASE/spring-security-core-4.2.1.RELEASE.jar
Dependency Hierarchy:
- spring-security-web-4.2.12.RELEASE.jar (Root Library)
- ❌ spring-security-core-4.2.1.RELEASE.jar (Vulnerable Library)
Found in base branch: master
Reachability Analysis
This vulnerability is potentially reachable
org.joychou.security.WebSecurityConfig (Application)
-> org.springframework.security.web.util.matcher.AntPathRequestMatcher (Extension)
-> ❌ org.springframework.security.web.util.matcher.AntPathRequestMatcher$SubpathMatcher (Vulnerable Component)
Vulnerability Details
The usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in authorization rules not working properly.
Publish Date: 2024-12-02
URL: CVE-2024-38827
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.1%
CVSS 3 Score Details (4.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2024-38827
Release Date: 2024-12-02
Fix Resolution (org.springframework.security:spring-security-core): 5.7.14
Direct dependency fix Resolution (org.springframework.security:spring-security-web): 5.7.14
In order to enable automatic remediation, please create workflow rules
CVE-2020-5408
Vulnerable Library - spring-security-core-4.2.1.RELEASE.jar
spring-security-core
Library home page: http://spring.io/spring-security
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/security/spring-security-core/4.2.1.RELEASE/spring-security-core-4.2.1.RELEASE.jar
Dependency Hierarchy:
- spring-security-web-4.2.12.RELEASE.jar (Root Library)
- ❌ spring-security-core-4.2.1.RELEASE.jar (Vulnerable Library)
Found in base branch: master
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has been encrypted using such an encryptor may be able to derive the unencrypted values using a dictionary attack.
Publish Date: 2020-05-14
URL: CVE-2020-5408
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.5%
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Change files
Release Date: 2020-04-07
Fix Resolution: Replace or update the following files: BCryptPasswordEncoderTests.java, BCryptPasswordEncoder.java
CVE-2019-3795
Vulnerable Library - spring-security-core-4.2.1.RELEASE.jar
spring-security-core
Library home page: http://spring.io/spring-security
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/security/spring-security-core/4.2.1.RELEASE/spring-security-core-4.2.1.RELEASE.jar
Dependency Hierarchy:
- spring-security-web-4.2.12.RELEASE.jar (Root Library)
- ❌ spring-security-core-4.2.1.RELEASE.jar (Vulnerable Library)
Found in base branch: master
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Spring Security versions 4.2.x prior to 4.2.12, 5.0.x prior to 5.0.12, and 5.1.x prior to 5.1.5 contain an insecure randomness vulnerability when using SecureRandomFactoryBean#setSeed to configure a SecureRandom instance. In order to be impacted, an honest application must provide a seed and make the resulting random material available to an attacker for inspection.
Publish Date: 2019-04-09
URL: CVE-2019-3795
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 2.0%
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
In order to enable automatic remediation for this issue, please create workflow rules