PT-2022-15752 · Spring · Spring Security
Published
2022-05-19
·
Updated
2024-06-13
·
CVE-2022-22976
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Spring Security versions 5.5.x prior to 5.5.7
Spring Security versions 5.6.x prior to 5.6.4
Spring Security earlier unsupported versions
Description
The issue is related to an integer overflow vulnerability. When using the BCrypt class with the maximum work factor (31), the encoder does not perform any salt rounds, due to an integer overflow error. The default settings are not affected.
Recommendations
For Spring Security versions 5.5.x prior to 5.5.7, update to version 5.5.7 or later.
For Spring Security versions 5.6.x prior to 5.6.4, update to version 5.6.4 or later.
For earlier unsupported versions of Spring Security, consider upgrading to a supported version to mitigate the risk. As a temporary workaround, consider avoiding the use of the BCrypt class with the maximum work factor (31) until a patch is available.
Fix
Integer Overflow
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Spring Security