GHSA-4644-hg35-55m9

Source

https://github.com/advisories/GHSA-4644-hg35-55m9

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-4644-hg35-55m9/GHSA-4644-hg35-55m9.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-4644-hg35-55m9

Aliases

CVE-2011-2731

Published

2022-05-17T04:59:50Z

Modified

2024-12-07T05:58:11.669432Z

Summary

Concurrent Execution using Shared Resource with Improper Synchronization in Spring Security

Details

Race condition in the RunAsManager mechanism in VMware SpringSource Spring Security before 2.0.7 and 3.0.x before 3.0.6 stores the Authentication object in the shared security context, which allows attackers to gain privileges via a crafted thread.

Database specific

{
    "nvd_published_at": "2012-12-05T17:55:00Z",
    "cwe_ids": [
        "CWE-362"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-13T17:46:37Z"
}

References

Affected packages

Maven / org.springframework.security:spring-security-core

Package

Name: org.springframework.security:spring-security-core; View open source insights on deps.dev
Purl: pkg:maven/org.springframework.security/spring-security-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.0.7

Affected versions

2.*

2.0.0

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5.RELEASE

2.0.6.RELEASE

Maven / org.springframework.security:spring-security-core

Package

Name: org.springframework.security:spring-security-core; View open source insights on deps.dev
Purl: pkg:maven/org.springframework.security/spring-security-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.0.0

Fixed

3.0.6

Affected versions

3.*

3.0.0.RELEASE

3.0.1.RELEASE

3.0.2.RELEASE

3.0.3.RELEASE

3.0.4.RELEASE

3.0.5.RELEASE