ghsa-mg83-c7gq-rv5c
Vulnerability from github
Published
2025-03-20 06:31
Modified
2025-03-20 19:42
Severity ?
Summary
Spring Security Does Not Enforce Password Length
Details
BCryptPasswordEncoder.matches(CharSequence,String) will incorrectly return true for passwords larger than 72 characters as long as the first 72 characters are the same.
{ affected: [ { package: { ecosystem: "Maven", name: "org.springframework.security:spring-security-crypto", }, ranges: [ { events: [ { introduced: "6.3.0", }, { fixed: "6.3.8", }, ], type: "ECOSYSTEM", }, ], }, { package: { ecosystem: "Maven", name: "org.springframework.security:spring-security-crypto", }, ranges: [ { events: [ { introduced: "6.4.0", }, { fixed: "6.4.4", }, ], type: "ECOSYSTEM", }, ], }, { database_specific: { last_known_affected_version_range: "<= 6.2.9", }, package: { ecosystem: "Maven", name: "org.springframework.security:spring-security-crypto", }, ranges: [ { events: [ { introduced: "6.2.0", }, { fixed: "6.2.10", }, ], type: "ECOSYSTEM", }, ], }, { database_specific: { last_known_affected_version_range: "<= 6.1.13", }, package: { ecosystem: "Maven", name: "org.springframework.security:spring-security-crypto", }, ranges: [ { events: [ { introduced: "6.1.0", }, { fixed: "6.1.14", }, ], type: "ECOSYSTEM", }, ], }, { database_specific: { last_known_affected_version_range: "<= 6.0.15", }, package: { ecosystem: "Maven", name: "org.springframework.security:spring-security-crypto", }, ranges: [ { events: [ { introduced: "6.0.0", }, { fixed: "6.0.16", }, ], type: "ECOSYSTEM", }, ], }, { database_specific: { last_known_affected_version_range: "<= 5.8.17", }, package: { ecosystem: "Maven", name: "org.springframework.security:spring-security-crypto", }, ranges: [ { events: [ { introduced: "5.8.0", }, { fixed: "5.8.18", }, ], type: "ECOSYSTEM", }, ], }, { database_specific: { last_known_affected_version_range: "<= 5.7.15", }, package: { ecosystem: "Maven", name: "org.springframework.security:spring-security-crypto", }, ranges: [ { events: [ { introduced: "0", }, { fixed: "5.7.16", }, ], type: "ECOSYSTEM", }, ], }, ], aliases: [ "CVE-2025-22228", ], database_specific: { cwe_ids: [ "CWE-287", "CWE-521", ], github_reviewed: true, github_reviewed_at: "2025-03-20T18:19:20Z", nvd_published_at: "2025-03-20T06:15:23Z", severity: "HIGH", }, details: "BCryptPasswordEncoder.matches(CharSequence,String) will incorrectly return true for passwords larger than 72 characters as long as the first 72 characters are the same.", id: "GHSA-mg83-c7gq-rv5c", modified: "2025-03-20T19:42:39Z", published: "2025-03-20T06:31:09Z", references: [ { type: "ADVISORY", url: "https://nvd.nist.gov/vuln/detail/CVE-2025-22228", }, { type: "WEB", url: "https://github.com/spring-projects/spring-security/commit/46f0dc6dfc8402cd556c598fdf2d31f9d46cdbf3", }, { type: "PACKAGE", url: "https://github.com/spring-projects/spring-security", }, { type: "WEB", url: "https://spring.io/security/cve-2025-22228", }, ], schema_version: "1.4.0", severity: [ { score: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", type: "CVSS_V3", }, ], summary: "Spring Security Does Not Enforce Password Length", }
Log in or create an account to share your comment.
Security Advisory comment format.
This schema specifies the format of a comment related to a security advisory.
Title of the comment
Description of the comment
Loading…
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.