pkg:Maven/org.springframework.security:spring-security-core

31 total CVEsCRITICAL4HIGH11MEDIUM10LOW1

✅ Check your installed version

All known vulnerabilities

  • CRITICAL9.8CVE-2022-31692Spring Security authorization rules can be bypassed via forward or include dispatcher types
    >= 5.7.0, < 5.7.5
  • CRITICAL9.8CVE-2022-22978Authorization bypass in Spring Security
    >= 5.5.0, < 5.5.7
  • CRITICAL9.8CVE-2014-3527Authorization Bypass in Spring Security
    from 0, < 3.1.7
  • CRITICAL9.1CVE-2025-41232Spring Security authorization bypass for method security annotations on private methods
    >= 6.4.0, < 6.4.6
  • HIGH8.8CVE-2020-5407Signature wrapping vulnerability in Spring Security
    >= 5.2.0, < 5.2.4
  • HIGH8.2CVE-2024-22257Erroneous authentication pass in Spring Security
    from 0, < 5.7.12
  • HIGH8.1CVE-2017-4995Deserialization of Untrusted Data in Spring Security
    >= 4.2.0.RELEASE, < 4.2.3.RELEASE
  • HIGH7.5CVE-2025-41248Spring Security annotation detection mechanism has authorization bypass
    >= 6.4.0, < 6.4.10
  • HIGH7.5CVE-2021-22119Resource Exhaustion in Spring Security
    >= 5.5.0, < 5.5.1
  • HIGH7.5CVE-2016-9879Security Constraint Bypass in Spring Security
    from 0, < 3.2.10.RELEASE
  • HIGH7.5CVE-2016-5007Spring Security and Spring Framework may not recognize certain paths that should be protected
    from 0, < 4.1.1
  • HIGH7.4CVE-2024-22234Broken Access Control in Spring Security With Direct Use of isFullyAuthenticated
    >= 6.1.0, < 6.1.7
  • HIGH7.4CVE-2018-15801Spring Security vulnerable to Authorization Bypass
    >= 5.1.0, < 5.1.2
  • HIGH7.3CVE-2014-0097Improper Authentication in Spring Security
    >= 3.2.0, < 3.2.2.RELEASE
  • HIGH7.3CVE-2019-11272libspring-security-2.0-java - security update
    from 0, < 4.2.13
  • MEDIUM6.5CVE-2024-38810Spring Security Missing Authorization vulnerability
    >= 6.3.0, < 6.3.2
  • MEDIUM6.5CVE-2020-5408Insufficient Entropy in Spring Security
    >= 5.3.0, < 5.3.2
  • MEDIUM6.3CVE-2023-20862Spring Security logout not clearing security context
    >= 5.7.0, < 5.7.8
  • MEDIUM5.3CVE-2025-22234Spring Security has a broken timing attack mitigation implemented in DaoAuthenticationProvide
    >= 6.3.8, < 6.3.9
  • MEDIUM5.3CVE-2025-22223Spring Security Vulnerable to Authorization Bypass via Security Annotations
    >= 6.4.0, < 6.4.4
  • MEDIUM5.3CVE-2022-22976Integer overflow in BCrypt class in Spring Security
    >= 5.2.0.RELEASE, < 5.5.7
  • MEDIUM5.3CVE-2019-3795libspring-security-2.0-java - security update
    >= 4.2.0, < 4.2.12
  • MEDIUM5.3CVE-2018-1199Improper Input Validation in org.springframework.security:spring-security-core, org.springframework.security:spring-security-core , and org.springframework:spring-core
    >= 4.2.0, < 4.2.4
  • MEDIUM4.8CVE-2026-22751Spring Security Core has a TOCTOU race condition when One-Time Token login with JdbcOneTimeTokenService is configured
    >= 6.5.0, < 6.5.10
  • MEDIUM4.8CVE-2024-38827Spring Framework has Authorization Bypass for Case Sensitive Comparisons
    from 0, < 5.7.14
  • LOW3.7CVE-2026-22746Spring Security Vulnerable to User Attribute Enumeration when Using DaoAuthenticationProvider
    >= 5.7.0, <= 5.7.22
  • CVE-2011-2732Improper Control of Generation of Code in Spring Security
    from 0, < 2.0.7
  • CVE-2012-5055Exposure of Sensitive Information to an Unauthorized Actor in Spring Security
    from 0, < 2.0.8
  • CVE-2011-2731Concurrent Execution using Shared Resource with Improper Synchronization in Spring Security
    from 0, < 2.0.7
  • CVE-2011-2894Spring Framework and Spring Security vulnerable to Deserialization of Untrusted Data
    >= 3.0.0, < 3.0.6
  • CVE-2010-3700Authentication Bypass Using an Alternate Path or Channel in SpringSource Spring Security and Acegi Security
    >= 2.0.0, < 2.0.6