Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2026-22732

Опубликовано: 19 мар. 2026
Источник: redhat
CVSS3: 6.5

Описание

When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written.  This issue affects Spring Security: from 5.7.0 through 5.7.21, from 5.8.0 through 5.8.23, from 6.3.0 through 6.3.14, from 6.4.0 through 6.4.14, from 6.5.0 through 6.5.8, from 7.0.0 through 7.0.3.

A flaw was found in Spring Security. When applications using Spring Security specify HTTP response headers for servlet applications, these headers may not be written. This can lead to a bypass of security policies or information disclosure, potentially allowing an attacker to gain unauthorized access to sensitive data or compromise the integrity of the application.

Меры по смягчению последствий

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
OpenShift Developer Tools and ServicesjenkinsFix deferred
OpenShift Developer Tools and Servicesocp-tools-4/jenkins-rhel8Fix deferred
OpenShift Developer Tools and Servicesocp-tools-4/jenkins-rhel9Fix deferred
Red Hat build of Apache Camel for Spring Boot 4spring-security-coreFix deferred
Red Hat build of Apache Camel - HawtIO 4spring-security-coreFix deferred
Red Hat build of Quarkusquarkus-spring-security-core-apiFix deferred
Red Hat Data Grid 8spring-security-coreFix deferred
Red Hat Fuse 7org.apache.servicemix.bundles.spring-security-coreFix deferred
Red Hat Fuse 7spring-security-coreFix deferred
Red Hat JBoss Enterprise Application Platform 7spring-security-coreFix deferred

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-166
https://bugzilla.redhat.com/show_bug.cgi?id=2449306Spring Security: Spring Security: Security policy bypass and information disclosure due to unwritten HTTP headers

6.5 Medium

CVSS3

Связанные уязвимости

nvd логотип

CVE-2026-22732

CVSS3: 9.1
nvd
12 дней назад

When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written.  This issue affects Spring Security: from 5.7.0 through 5.7.21, from 5.8.0 through 5.8.23, from 6.3.0 through 6.3.14, from 6.4.0 through 6.4.14, from 6.5.0 through 6.5.8, from 7.0.0 through 7.0.3.

debian логотип

CVE-2026-22732

CVSS3: 9.1
debian
12 дней назад

When applications specify HTTP response headers for servlet applicatio ...

github логотип

GHSA-mf92-479x-3373

CVSS3: 9.1
github
12 дней назад

Spring Security HTTP Headers Are not Written Under Some Conditions

fstec логотип

BDU:2026-03480

CVSS3: 9.1
fstec
13 дней назад

Уязвимость Java-фреймворка для обеспечения безопасности промышленных приложений Spring Security, связанная с использованием небезопасной прямой ссылкой на объект, позволяющая нарушителю выполнить произвольный код

6.5 Medium

CVSS3