Описание
BCryptPasswordEncoder.matches(CharSequence,String) will incorrectly return true for passwords larger than 72 characters as long as the first 72 characters are the same.
A flaw was found in the spring-security-core password encoder. This vulnerability allows incorrect password matching via input manipulation.
Меры по смягчению последствий
Red Hat Product Security does not have a recommended mitigation at this time.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| A-MQ Clients 2 | spring-security-core | Out of support scope | ||
| Red Hat build of Quarkus | quarkus-bom | Not affected | ||
| Red Hat Data Grid 8 | spring-security-core | Will not fix | ||
| Red Hat Fuse 7 | org.apache.servicemix.bundles.spring-security-core | Will not fix | ||
| Red Hat Fuse 7 | spring-security-core | Will not fix | ||
| Red Hat Integration Camel K 1 | spring-security-core | Will not fix | ||
| Red Hat JBoss Enterprise Application Platform 7 | spring-security-core | Not affected | ||
| Red Hat JBoss Enterprise Application Platform 8 | spring-security-core | Not affected | ||
| Red Hat JBoss Enterprise Application Platform Expansion Pack | spring-security-core | Not affected | ||
| Red Hat Process Automation 7 | spring-security-core | Will not fix |
Показывать по
10
Дополнительная информация
Статус:
Important
Дефект:
CWE-863
https://bugzilla.redhat.com/show_bug.cgi?id=2353507spring-security-core: Spring Security BCryptPasswordEncoder does not enforce maximum password length
7.4 High
CVSS3
Связанные уязвимости
CVSS3: 7.4
nvd
9 месяцев назад
BCryptPasswordEncoder.matches(CharSequence,String) will incorrectly return true for passwords larger than 72 characters as long as the first 72 characters are the same.
CVSS3: 7.4
debian
9 месяцев назад
BCryptPasswordEncoder.matches(CharSequence,String)will incorrectly ret ...
7.4 High
CVSS3