fix(deps): update dependency org.springframework.security:spring-security-core to v5 [security] #29
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=60&v=4){kind=small}
…rity-core to v5 [security]
renovate
bot
force-pushed
the
renovate/maven-org.springframework.security-spring-security-core-vulnerability
branch
from
c2f6bf0
to
13cab73
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
3.1.3.RELEASE->5.7.12GitHub Vulnerability Alerts
CVE-2016-5007
Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x (as well as other unsupported versions) rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring Framework provides richer features with regards to pattern matching as well as by the fact that pattern matching in each Spring Security and the Spring Framework can easily be customized creating additional differences.
CVE-2020-5408
Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has been encrypted using such an encryptor may be able to derive the unencrypted values using a dictionary attack.
CVE-2014-3527
When using Spring Security's CAS Proxy ticket authentication a malicious CAS Service could trick another CAS Service into authenticating a proxy ticket that was not associated. This is due to the fact that the proxy ticket authentication uses the information from the HttpServletRequest which is populated based upon untrusted information within the HTTP request.
This means if there are access control restrictions on which CAS services can authenticate to one another, those restrictions can be bypassed.
If users are not using CAS Proxy tickets and not basing access control decisions based upon the CAS Service, then there is no impact to users.
Mitigation
Users of affected versions should apply the following mitigation:
Credit
This issue was identified by David Ohsie and brought to our attention by the CAS Development team.
CVE-2014-0097
The ActiveDirectoryLdapAuthenticator in Spring Security 3.2.0 to 3.2.1 and 3.1.0 to 3.1.5 does not check the password length. If the directory allows anonymous binds then it may incorrectly authenticate a user who supplies an empty password.
CVE-2012-5055
DaoAuthenticationProvider in VMware SpringSource Spring Security before 2.0.8, 3.0.x before 3.0.8, and 3.1.x before 3.1.3 does not check the password if the user is not found, which makes the response delay shorter and might allow remote attackers to enumerate valid usernames via a series of login requests.
CVE-2019-11272
Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of ?null?.
CVE-2024-22257
In Spring Security, versions 5.7.x prior to 5.7.12, 5.8.x prior to 5.8.11, versions 6.0.x prior to 6.0.9, versions 6.1.x prior to 6.1.8, versions 6.2.x prior to 6.2.3, an application is possible vulnerable to broken access control when it directly uses the AuthenticatedVoter#vote passing a null Authentication parameter.
Specifically, an application is vulnerable if:
The application uses AuthenticatedVoter directly and a null authentication parameter is passed to it resulting in an erroneous true return value.
An application is not vulnerable if any of the following is true:
Note that AuthenticatedVoter is deprecated since 5.8, use implementations of AuthorizationManager as a replacement.
CVE-2016-9879
Spring Security does not consider URL path parameters when processing security constraints. By adding a URL path parameter with an encoded "/" to a request, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification (see below). Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. The unexpected presence of path parameters can cause a constraint to be bypassed.
Users of Apache Tomcat (all current versions) are not affected by this vulnerability since Tomcat follows the guidance previously provided by the Servlet Expert group and strips path parameters from the value returned by getContextPath(), getServletPath() and getPathInfo() [1].
Users of other Servlet containers based on Apache Tomcat may or may not be affected depending on whether or not the handling of path parameters has been modified.
Users of IBM WebSphere Application Server 8.5.x are known to be affected.
Users of other containers that implement the Servlet specification may be affected.
[1] https://issues.apache.org/bugzilla/show_bug.cgi?id=25015
Affected Pivotal Products and Versions
Severity is high unless otherwise noted.
Mitigation
Adopting one of the following mitigations will protect against this vulnerability.
Credit
The issue was identified by Shumpei Asahara & Yuji Ito from NTT DATA Corporation and responsibly reported to Pivotal.
CVE-2022-22978
In Spring Security versions 5.5.6 and 5.5.7 and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with
.in the regular expression are possibly vulnerable to an authorization bypass.Release Notes
spring-projects/spring-security (org.springframework.security:spring-security-core)
v5.7.12Compare Source
🪲 Bug Fixes
nullAuthentication #14715v5.7.11Compare Source
⭐ New Features
v5.7.10Compare Source
🪲 Bug Fixes
🔨 Dependency Upgrades
v5.7.9Compare Source
⭐ New Features
🪲 Bug Fixes
🔨 Dependency Upgrades
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
v5.7.8Compare Source
⭐ New Features
🪲 Bug Fixes
🔨 Dependency Upgrades
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
v5.7.7Compare Source
⭐ New Features
🪲 Bug Fixes
DefaultSaml2AuthenticatedPrincipal:LinkedMultiValueMap is not in the allowlist#11785🔨 Dependency Upgrades
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
v5.7.6Compare Source
⭐ New Features
🪲 Bug Fixes
🔨 Dependency Upgrades
v5.7.5Compare Source
🪲 Bug Fixes
v5.7.4Compare Source
⭐ New Features
🪲 Bug Fixes
🔨 Dependency Upgrades
v5.7.3Compare Source
⭐ New Features
🪲 Bug Fixes
🔨 Dependency Upgrades
v5.7.2Compare Source
⭐ New Features
🪲 Bug Fixes
@Query#11289🔨 Dependency Upgrades
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
v5.7.1Compare Source
🪲 Bug Fixes
v5.7.0Compare Source
⭐ New Features
🪲 Bug Fixes
@EnableMethodSecuritydoesn't resolve annotations on interfaces through a Proxy #11177🔨 Dependency Upgrades
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
v5.6.12Compare Source
🪲 Bug Fixes
🔨 Dependency Upgrades
v5.6.11Compare Source
⭐ New Features
🪲 Bug Fixes
🔨 Dependency Upgrades
v5.6.10Compare Source
⭐ New Features
🪲 Bug Fixes
🔨 Dependency Upgrades
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
v5.6.9Compare Source
🪲 Bug Fixes
v5.6.8Compare Source
⭐ New Features
🪲 Bug Fixes
🔨 Dependency Upgrades
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
v5.6.7Compare Source
⭐ New Features
🪲 Bug Fixes
🔨 Dependency Upgrades
v5.6.6Compare Source
⭐ New Features
🪲 Bug Fixes
@Query#11290🔨 Dependency Upgrades
v5.6.5Compare Source
🪲 Bug Fixes
v5.6.4Compare Source
⭐ New Features
🪲 Bug Fixes
🔨 Dependency Upgrades
v5.6.3Compare Source
🪲 Bug Fixes
🔨 Dependency Upgrades
v5.6.2Compare Source
⏪ Breaking Changes
⭐ New Features
AuthorizationManagerWebInvocationPrivilegeEvaluator#10682🪲 Bug Fixes
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.