CVE-2022-22976 An integer overflow vulnerability was found in Spring Security versions 5.5.x, 5.6.x, and earlier unsupported versions.

CVE-2022-22976 An integer overflow vulnerability was found in Spring Security versions 5.5.x, 5.6.x, and earlier unsupported versions.

An attacker could craft a maliciously-crafted request to send to the application, which could result in the remote code execution. To protect your application from this attack, upgrade to the latest version of Spring Security 5.6.x or 5.5.7. If you are using an unsupported version, upgrade to the latest version.

CVE-2018-0403 In order to reduce the risk of user-assisted SQL injection attacks, Spring Security uses a filter condition to check the supplied input against a custom SQL injection filter condition. The filter condition verifies the data type of the input by comparing it to a predefined list of data types. By sending a request with a crafted data type, an attacker can bypass this check and inject malicious SQL code. This issue has been patched and the data type check has been updated to validate the data type of the input against a predefined list of data types. In order to reduce the risk of SQL injection attacks, Spring Security uses filter conditions to validate the data type of the input. If the supplied data type does not match any of the predefined data types, an error message is returned. An attacker can bypass this validation by sending a maliciously-crafted request. This issue has been resolved by updating the filter condition so that it validates the data type of the input.

Potential SQL Injection Attack

Spring Security is an application framework that provides authentication, authorization, and access control. It offers a variety of features to help improve your website’s security. One of these features is the ability to validate that supplied input data is of a certain format by using filter conditions.

Overview of this vulnerability

The Spring Security 5.6.x release includes a vulnerability that is being exploited in the wild to execute arbitrary commands on the application server via SQL injection attack. This vulnerability affects both web and native mobile applications. In order to protect your application from this attack, upgrade to the latest version of Spring Security 5.6.x or 5.5.7 and apply the appropriate fix for your vulnerable version of Spring Security.

When you're ready to start an outsourcing project, it's easy to stumble when it comes to choosing which service provider is right for you. Here are five things that can help you make an informed decision about who's best for your business:
1) Ask them questions
2) Ask around
3) Check their portfolio
4) Talk with a current client of theirs
5) Look at their pricing

Potential SQL Injection Vulnerability in Spring Security 5.2.1

This issue has been resolved by updating the filter condition so that it validates the data type of the input.

How to upgrade to version 5.6.x or 5.5.7?

To upgrade your Spring Security version to 5.6.x, follow these steps:
1) Download the latest release of Spring Security 5.6.x from the download page
2) Unzip the folder you downloaded and place it in your Maven project's lib directory.
3) Add these dependencies to your pom: http://repo2.maven.org/maven2/org/springframework/security/spring-security-core/5.6.7.RELEASE/spring-security-core-5.6.7.RELEASE-src.jar http://repo2.maven.org/maven2/org/springframework/security/spring-security-web/5.6.7.RELEASE/spring-security-web-5.6.7.RELEASE-srcjar
4) To use the new features in this release, you need to update your web application context configuration file:

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe