Vulnerabilities

 8 via 120 paths

Dependencies

 112

Source

 GitHub

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Severity
  • 4
  • 4
Status
  • 8
  • 0
  • 0

high severity
new

Access Control Bypass

  • Vulnerable module: org.springframework.security:spring-security-config
  • Introduced through: org.ligoj.bootstrap:bootstrap-business@3.3.0

Detailed paths

  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework.security:spring-security-config@7.0.4

Overview

org.springframework.security:spring-security-config is a security configuration package for Spring Framework.

Affected versions of this package are vulnerable to Access Control Bypass in the XML authorization rules processing when the servlet-path attribute is used. An attacker can gain unauthorized access to protected endpoints by crafting requests that bypass intended authorization checks.

Remediation

Upgrade org.springframework.security:spring-security-config to version 7.0.5 or higher.

References

Access Control Bypass vulnerability report

high severity
new

Access Control Bypass

  • Vulnerable module: org.springframework.security:spring-security-config
  • Introduced through: org.ligoj.bootstrap:bootstrap-business@3.3.0

Detailed paths

  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework.security:spring-security-config@7.0.4

Overview

org.springframework.security:spring-security-config is a security configuration package for Spring Framework.

Affected versions of this package are vulnerable to Access Control Bypass in the securityMatchers component when a PathPatternRequestMatcher.Builder bean is used to prepend a servlet path. An attacker can bypass authentication, authorization, and other security controls by crafting requests that are not properly matched to the intended filter chain.

Remediation

Upgrade org.springframework.security:spring-security-config to version 7.0.5 or higher.

References

Access Control Bypass vulnerability report

high severity
new

User Impersonation

  • Vulnerable module: org.springframework.security:spring-security-web
  • Introduced through: org.ligoj.bootstrap:bootstrap-business@3.3.0

Detailed paths

  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework.security:spring-security-web@7.0.4

Overview

org.springframework.security:spring-security-web is a package within Spring Security that provides security services for the Spring IO Platform.

Affected versions of this package are vulnerable to User Impersonation in the SubjectX500PrincipalExtractor component. An attacker can gain unauthorized access to another user's account by presenting a specially crafted X.509 client certificate containing a malformed CN value.

Notes:

  • The SubjectX500PrincipalExtractor component sits behind Spring Security's pre-authentication flow, which assumes the presented credentials have already been validated by a trusted upstream. Exploiting this issue therefore presupposes a compromise of that upstream trust.

  • The fix only addresses SubjectX500PrincipalExtractor and not SubjectDnX509PrincipalExtractor, a deprecated component.

Remediation

Upgrade org.springframework.security:spring-security-web to version 7.0.5 or higher.

References

User Impersonation vulnerability report

high severity
new

Incomplete Cleanup

  • Vulnerable module: org.springframework:spring-web
  • Introduced through: org.ligoj.bootstrap:bootstrap-business@3.3.0

Detailed paths

  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework:spring-web@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework.security:spring-security-web@7.0.4 org.springframework:spring-web@7.0.6

Overview

org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.

Affected versions of this package are vulnerable to Incomplete Cleanup via multipart request handling in WebFlux. An attacker can exhaust disk space by sending multipart requests with large parts that trigger creation of temporary files, which under certain conditions are not deleted after the request completes, leading to accumulation of temp files and denial of service.

Remediation

Upgrade org.springframework:spring-web to version 6.2.18, 7.0.7 or higher.

References

Incomplete Cleanup vulnerability report

medium severity
new

Missing Critical Step in Authentication

  • Vulnerable module: org.apache.httpcomponents.client5:httpclient5
  • Introduced through: org.apache.httpcomponents.client5:httpclient5@5.6 and org.ligoj.bootstrap:bootstrap-business@3.3.0

Detailed paths

  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.apache.httpcomponents.client5:httpclient5@5.6
    Remediation: Upgrade to org.apache.httpcomponents.client5:httpclient5@5.6.1.
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.apache.httpcomponents.client5:httpclient5@5.6

Overview

org.apache.httpcomponents.client5:httpclient5 is a HttpClient component of the Apache HttpComponents project.

Affected versions of this package are vulnerable to Missing Critical Step in Authentication in the AuthenticationHandler's handleResponse() method. The client may accept SCRAM-SHA-256 authentication by default, without mutual verification.

Remediation

Upgrade org.apache.httpcomponents.client5:httpclient5 to version 5.6.1 or higher.

References

Missing Critical Step in Authentication vulnerability report

medium severity
new

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: org.springframework:spring-core
  • Introduced through: org.springframework:spring-context-support@7.0.6 and org.ligoj.bootstrap:bootstrap-business@3.3.0

Detailed paths

  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.springframework:spring-context-support@7.0.6 org.springframework:spring-core@7.0.6
    Remediation: Upgrade to org.springframework:spring-context-support@7.0.7.
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.springframework:spring-context-support@7.0.6 org.springframework:spring-beans@7.0.6 org.springframework:spring-core@7.0.6
    Remediation: Upgrade to org.springframework:spring-context-support@7.0.7.
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.springframework:spring-context-support@7.0.6 org.springframework:spring-context@7.0.6 org.springframework:spring-core@7.0.6
    Remediation: Upgrade to org.springframework:spring-context-support@7.0.7.
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.springframework:spring-context-support@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.springframework:spring-context-support@7.0.6 org.springframework:spring-context@7.0.6 org.springframework:spring-beans@7.0.6 org.springframework:spring-core@7.0.6
    Remediation: Upgrade to org.springframework:spring-context-support@7.0.7.
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework:spring-beans@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.springframework:spring-context-support@7.0.6 org.springframework:spring-beans@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.springframework:spring-context-support@7.0.6 org.springframework:spring-context@7.0.6 org.springframework:spring-aop@7.0.6 org.springframework:spring-core@7.0.6
    Remediation: Upgrade to org.springframework:spring-context-support@7.0.7.
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework:spring-aop@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.springframework:spring-context-support@7.0.6 org.springframework:spring-context@7.0.6 org.springframework:spring-expression@7.0.6 org.springframework:spring-core@7.0.6
    Remediation: Upgrade to org.springframework:spring-context-support@7.0.7.
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework:spring-context@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.springframework:spring-context-support@7.0.6 org.springframework:spring-context@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework:spring-tx@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework:spring-orm@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework.data:spring-data-jpa@4.0.4 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework.security:spring-security-core@7.0.4 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework.security:spring-security-config@7.0.4 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework:spring-web@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework.security:spring-security-web@7.0.4 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.springframework:spring-context-support@7.0.6 org.springframework:spring-context@7.0.6 org.springframework:spring-aop@7.0.6 org.springframework:spring-beans@7.0.6 org.springframework:spring-core@7.0.6
    Remediation: Upgrade to org.springframework:spring-context-support@7.0.7.
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework:spring-aop@7.0.6 org.springframework:spring-beans@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework:spring-context@7.0.6 org.springframework:spring-beans@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.springframework:spring-context-support@7.0.6 org.springframework:spring-context@7.0.6 org.springframework:spring-beans@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework:spring-tx@7.0.6 org.springframework:spring-beans@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework:spring-orm@7.0.6 org.springframework:spring-beans@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework.data:spring-data-jpa@4.0.4 org.springframework:spring-beans@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework.security:spring-security-core@7.0.4 org.springframework:spring-beans@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework.security:spring-security-config@7.0.4 org.springframework:spring-beans@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework:spring-web@7.0.6 org.springframework:spring-beans@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework.security:spring-security-web@7.0.4 org.springframework:spring-beans@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework.data:spring-data-jpa@4.0.4 org.springframework.data:spring-data-commons@4.0.4 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework:spring-context@7.0.6 org.springframework:spring-aop@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.springframework:spring-context-support@7.0.6 org.springframework:spring-context@7.0.6 org.springframework:spring-aop@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework.data:spring-data-jpa@4.0.4 org.springframework:spring-aop@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework.security:spring-security-core@7.0.4 org.springframework:spring-aop@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework.security:spring-security-config@7.0.4 org.springframework:spring-aop@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework.security:spring-security-web@7.0.4 org.springframework:spring-aop@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework:spring-context@7.0.6 org.springframework:spring-expression@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.springframework:spring-context-support@7.0.6 org.springframework:spring-context@7.0.6 org.springframework:spring-expression@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework.security:spring-security-core@7.0.4 org.springframework:spring-expression@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework.security:spring-security-web@7.0.4 org.springframework:spring-expression@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework.data:spring-data-jpa@4.0.4 org.springframework:spring-context@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework.security:spring-security-core@7.0.4 org.springframework:spring-context@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework.security:spring-security-config@7.0.4 org.springframework:spring-context@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework.security:spring-security-web@7.0.4 org.springframework:spring-context@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework:spring-orm@7.0.6 org.springframework:spring-tx@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework.data:spring-data-jpa@4.0.4 org.springframework:spring-tx@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework:spring-orm@7.0.6 org.springframework:spring-jdbc@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework.data:spring-data-jpa@4.0.4 org.springframework:spring-orm@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework.security:spring-security-config@7.0.4 org.springframework.security:spring-security-core@7.0.4 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework.security:spring-security-web@7.0.4 org.springframework.security:spring-security-core@7.0.4 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework.security:spring-security-web@7.0.4 org.springframework:spring-web@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework.data:spring-data-jpa@4.0.4 org.springframework.data:spring-data-commons@4.0.4 org.springframework:spring-beans@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework:spring-context@7.0.6 org.springframework:spring-aop@7.0.6 org.springframework:spring-beans@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.springframework:spring-context-support@7.0.6 org.springframework:spring-context@7.0.6 org.springframework:spring-aop@7.0.6 org.springframework:spring-beans@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework.data:spring-data-jpa@4.0.4 org.springframework:spring-aop@7.0.6 org.springframework:spring-beans@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework.security:spring-security-core@7.0.4 org.springframework:spring-aop@7.0.6 org.springframework:spring-beans@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework.security:spring-security-config@7.0.4 org.springframework:spring-aop@7.0.6 org.springframework:spring-beans@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework.security:spring-security-web@7.0.4 org.springframework:spring-aop@7.0.6 org.springframework:spring-beans@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework.data:spring-data-jpa@4.0.4 org.springframework:spring-context@7.0.6 org.springframework:spring-beans@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework.security:spring-security-core@7.0.4 org.springframework:spring-context@7.0.6 org.springframework:spring-beans@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework.security:spring-security-config@7.0.4 org.springframework:spring-context@7.0.6 org.springframework:spring-beans@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework.security:spring-security-web@7.0.4 org.springframework:spring-context@7.0.6 org.springframework:spring-beans@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework:spring-orm@7.0.6 org.springframework:spring-tx@7.0.6 org.springframework:spring-beans@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework.data:spring-data-jpa@4.0.4 org.springframework:spring-tx@7.0.6 org.springframework:spring-beans@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework:spring-orm@7.0.6 org.springframework:spring-jdbc@7.0.6 org.springframework:spring-beans@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework.data:spring-data-jpa@4.0.4 org.springframework:spring-orm@7.0.6 org.springframework:spring-beans@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework.security:spring-security-config@7.0.4 org.springframework.security:spring-security-core@7.0.4 org.springframework:spring-beans@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework.security:spring-security-web@7.0.4 org.springframework.security:spring-security-core@7.0.4 org.springframework:spring-beans@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework.security:spring-security-web@7.0.4 org.springframework:spring-web@7.0.6 org.springframework:spring-beans@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework.data:spring-data-jpa@4.0.4 org.springframework:spring-context@7.0.6 org.springframework:spring-aop@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework.security:spring-security-core@7.0.4 org.springframework:spring-context@7.0.6 org.springframework:spring-aop@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework.security:spring-security-config@7.0.4 org.springframework:spring-context@7.0.6 org.springframework:spring-aop@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework.security:spring-security-web@7.0.4 org.springframework:spring-context@7.0.6 org.springframework:spring-aop@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework.security:spring-security-config@7.0.4 org.springframework.security:spring-security-core@7.0.4 org.springframework:spring-aop@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework.security:spring-security-web@7.0.4 org.springframework.security:spring-security-core@7.0.4 org.springframework:spring-aop@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework.data:spring-data-jpa@4.0.4 org.springframework:spring-context@7.0.6 org.springframework:spring-expression@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework.security:spring-security-core@7.0.4 org.springframework:spring-context@7.0.6 org.springframework:spring-expression@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework.security:spring-security-config@7.0.4 org.springframework:spring-context@7.0.6 org.springframework:spring-expression@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework.security:spring-security-web@7.0.4 org.springframework:spring-context@7.0.6 org.springframework:spring-expression@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework.security:spring-security-config@7.0.4 org.springframework.security:spring-security-core@7.0.4 org.springframework:spring-expression@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework.security:spring-security-web@7.0.4 org.springframework.security:spring-security-core@7.0.4 org.springframework:spring-expression@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework.security:spring-security-config@7.0.4 org.springframework.security:spring-security-core@7.0.4 org.springframework:spring-context@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework.security:spring-security-web@7.0.4 org.springframework.security:spring-security-core@7.0.4 org.springframework:spring-context@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework:spring-orm@7.0.6 org.springframework:spring-jdbc@7.0.6 org.springframework:spring-tx@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework.data:spring-data-jpa@4.0.4 org.springframework:spring-orm@7.0.6 org.springframework:spring-tx@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework.data:spring-data-jpa@4.0.4 org.springframework:spring-orm@7.0.6 org.springframework:spring-jdbc@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework.data:spring-data-jpa@4.0.4 org.springframework:spring-context@7.0.6 org.springframework:spring-aop@7.0.6 org.springframework:spring-beans@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework.security:spring-security-core@7.0.4 org.springframework:spring-context@7.0.6 org.springframework:spring-aop@7.0.6 org.springframework:spring-beans@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework.security:spring-security-config@7.0.4 org.springframework:spring-context@7.0.6 org.springframework:spring-aop@7.0.6 org.springframework:spring-beans@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework.security:spring-security-web@7.0.4 org.springframework:spring-context@7.0.6 org.springframework:spring-aop@7.0.6 org.springframework:spring-beans@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework.security:spring-security-config@7.0.4 org.springframework.security:spring-security-core@7.0.4 org.springframework:spring-aop@7.0.6 org.springframework:spring-beans@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework.security:spring-security-web@7.0.4 org.springframework.security:spring-security-core@7.0.4 org.springframework:spring-aop@7.0.6 org.springframework:spring-beans@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework.security:spring-security-config@7.0.4 org.springframework.security:spring-security-core@7.0.4 org.springframework:spring-context@7.0.6 org.springframework:spring-beans@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework.security:spring-security-web@7.0.4 org.springframework.security:spring-security-core@7.0.4 org.springframework:spring-context@7.0.6 org.springframework:spring-beans@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework:spring-orm@7.0.6 org.springframework:spring-jdbc@7.0.6 org.springframework:spring-tx@7.0.6 org.springframework:spring-beans@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework.data:spring-data-jpa@4.0.4 org.springframework:spring-orm@7.0.6 org.springframework:spring-tx@7.0.6 org.springframework:spring-beans@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework.data:spring-data-jpa@4.0.4 org.springframework:spring-orm@7.0.6 org.springframework:spring-jdbc@7.0.6 org.springframework:spring-beans@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework.security:spring-security-config@7.0.4 org.springframework.security:spring-security-core@7.0.4 org.springframework:spring-context@7.0.6 org.springframework:spring-aop@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework.security:spring-security-web@7.0.4 org.springframework.security:spring-security-core@7.0.4 org.springframework:spring-context@7.0.6 org.springframework:spring-aop@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework.security:spring-security-config@7.0.4 org.springframework.security:spring-security-core@7.0.4 org.springframework:spring-context@7.0.6 org.springframework:spring-expression@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework.security:spring-security-web@7.0.4 org.springframework.security:spring-security-core@7.0.4 org.springframework:spring-context@7.0.6 org.springframework:spring-expression@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework.data:spring-data-jpa@4.0.4 org.springframework:spring-orm@7.0.6 org.springframework:spring-jdbc@7.0.6 org.springframework:spring-tx@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework.security:spring-security-config@7.0.4 org.springframework.security:spring-security-core@7.0.4 org.springframework:spring-context@7.0.6 org.springframework:spring-aop@7.0.6 org.springframework:spring-beans@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework.security:spring-security-web@7.0.4 org.springframework.security:spring-security-core@7.0.4 org.springframework:spring-context@7.0.6 org.springframework:spring-aop@7.0.6 org.springframework:spring-beans@7.0.6 org.springframework:spring-core@7.0.6
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework.data:spring-data-jpa@4.0.4 org.springframework:spring-orm@7.0.6 org.springframework:spring-jdbc@7.0.6 org.springframework:spring-tx@7.0.6 org.springframework:spring-beans@7.0.6 org.springframework:spring-core@7.0.6

Overview

org.springframework:spring-core is a core package within the spring-framework that contains multiple classes and utilities.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via static resource resolution. An attacker can cause denial of service by sending crafted requests that are slow to resolve when accessing file-system-backed static resources, causing HTTP connections to remain occupied and exhausting server resources.

Note: This is only exploitable if all the following are true:

  1. The application uses Spring MVC or Spring WebFlux.

  2. Static resources are served from the file system.

  3. The application is running on Windows.

Remediation

Upgrade org.springframework:spring-core to version 6.2.18, 7.0.7 or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report

medium severity
new

Information Exposure

  • Vulnerable module: org.springframework.security:spring-security-core
  • Introduced through: org.ligoj.bootstrap:bootstrap-business@3.3.0

Detailed paths

  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework.security:spring-security-core@7.0.4
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework.security:spring-security-config@7.0.4 org.springframework.security:spring-security-core@7.0.4
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework.security:spring-security-web@7.0.4 org.springframework.security:spring-security-core@7.0.4

Overview

org.springframework.security:spring-security-core is a package that provides security services for the Spring IO Platform.

Affected versions of this package are vulnerable to Information Exposure in the DaoAuthenticationProvider component. An attacker can determine the status of user attributes such as enabled, expired, or locked by analyzing response times, potentially allowing user attribute enumeration through timing analysis.

Remediation

Upgrade org.springframework.security:spring-security-core to version 6.5.10, 7.0.5 or higher.

References

Information Exposure vulnerability report

medium severity
new

Time-of-check Time-of-use (TOCTOU) Race Condition

  • Vulnerable module: org.springframework.security:spring-security-core
  • Introduced through: org.ligoj.bootstrap:bootstrap-business@3.3.0

Detailed paths

  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework.security:spring-security-core@7.0.4
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework.security:spring-security-config@7.0.4 org.springframework.security:spring-security-core@7.0.4
  • Introduced through: ligoj/plugin-scm-git@ligoj/plugin-scm-git org.ligoj.bootstrap:bootstrap-business@3.3.0 org.ligoj.bootstrap:bootstrap-core@3.3.0 org.springframework.security:spring-security-web@7.0.4 org.springframework.security:spring-security-core@7.0.4

Overview

org.springframework.security:spring-security-core is a package that provides security services for the Spring IO Platform.

Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition in the JdbcOneTimeTokenService component. An attacker can gain unauthorized access to multiple sessions by reusing a single one-time token during authentication.

Note:

This is only exploitable if the application is explicitly configured to use One-Time Token login with JdbcOneTimeTokenService.

Remediation

Upgrade org.springframework.security:spring-security-core to version 6.5.10, 7.0.5 or higher.

References

Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability report