Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2025-22223 (GCVE-0-2025-22223)
Vulnerability from cvelistv5 – Published: 2025-03-24 17:42 – Updated: 2025-03-24 18:06
VLAI
EPSS
Summary
Spring Security 6.4.0 - 6.4.3 may not correctly locate method security annotations on parameterized types or methods. This may cause an authorization bypass.
You are not affected if you are not using @EnableMethodSecurity, or
you do not have method security annotations on parameterized types or methods, or all method security annotations are attached to target methods
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-290 - Authentication Bypass by Spoofing
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Spring | Spring Security |
Affected:
6.4.0-6.4.3
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-22223",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-24T18:04:57.845346Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-24T18:06:24.575Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Spring Security",
"vendor": "Spring",
"versions": [
{
"status": "affected",
"version": "6.4.0-6.4.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eSpring Security 6.4.0 - 6.4.3 may not correctly locate method security annotations on parameterized types or methods. This may cause an authorization bypass.\u0026nbsp;\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eYou are not affected if you are not using @EnableMethodSecurity, or\u003cbr\u003eyou do not have method security annotations on parameterized types or methods, or all method security annotations are attached to target methods\u003c/span\u003e\u003c/span\u003e"
}
],
"value": "Spring Security 6.4.0 - 6.4.3 may not correctly locate method security annotations on parameterized types or methods. This may cause an authorization bypass.\u00a0\n\nYou are not affected if you are not using @EnableMethodSecurity, or\nyou do not have method security annotations on parameterized types or methods, or all method security annotations are attached to target methods"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-290",
"description": "CWE-290 Authentication Bypass by Spoofing",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-24T17:42:49.634Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://spring.io/security/cve-2025-22223"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2025-22223",
"datePublished": "2025-03-24T17:42:49.634Z",
"dateReserved": "2025-01-02T04:29:30.445Z",
"dateUpdated": "2025-03-24T18:06:24.575Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2025-22223",
"date": "2026-06-18",
"epss": "0.00466",
"percentile": "0.36756"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2025-22223\",\"sourceIdentifier\":\"security@vmware.com\",\"published\":\"2025-03-24T18:15:22.673\",\"lastModified\":\"2025-03-27T16:45:46.410\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Spring Security 6.4.0 - 6.4.3 may not correctly locate method security annotations on parameterized types or methods. This may cause an authorization bypass.\u00a0\\n\\nYou are not affected if you are not using @EnableMethodSecurity, or\\nyou do not have method security annotations on parameterized types or methods, or all method security annotations are attached to target methods\"},{\"lang\":\"es\",\"value\":\"Es posible que Spring Security 6.4.0 - 6.4.3 no ubique correctamente las anotaciones de seguridad de m\u00e9todos en tipos o m\u00e9todos parametrizados. Esto puede provocar una omisi\u00f3n de autorizaci\u00f3n. Esto no se ve afectado si no utiliza @EnableMethodSecurity, si no tiene anotaciones de seguridad de m\u00e9todos en tipos o m\u00e9todos parametrizados, o si todas las anotaciones de seguridad de m\u00e9todos est\u00e1n asociadas a los m\u00e9todos de destino.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@vmware.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security@vmware.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-290\"}]}],\"references\":[{\"url\":\"https://spring.io/security/cve-2025-22223\",\"source\":\"security@vmware.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-22223\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-03-24T18:04:57.845346Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-03-24T18:05:11.228Z\"}}], \"cna\": {\"source\": {\"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Spring\", \"product\": \"Spring Security\", \"versions\": [{\"status\": \"affected\", \"version\": \"6.4.0-6.4.3\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://spring.io/security/cve-2025-22223\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Spring Security 6.4.0 - 6.4.3 may not correctly locate method security annotations on parameterized types or methods. This may cause an authorization bypass.\\u00a0\\n\\nYou are not affected if you are not using @EnableMethodSecurity, or\\nyou do not have method security annotations on parameterized types or methods, or all method security annotations are attached to target methods\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eSpring Security 6.4.0 - 6.4.3 may not correctly locate method security annotations on parameterized types or methods. This may cause an authorization bypass.\u0026nbsp;\\n\\n\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eYou are not affected if you are not using @EnableMethodSecurity, or\u003cbr\u003eyou do not have method security annotations on parameterized types or methods, or all method security annotations are attached to target methods\u003c/span\u003e\u003c/span\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-290\", \"description\": \"CWE-290 Authentication Bypass by Spoofing\"}]}], \"providerMetadata\": {\"orgId\": \"dcf2e128-44bd-42ed-91e8-88f912c1401d\", \"shortName\": \"vmware\", \"dateUpdated\": \"2025-03-24T17:42:49.634Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-22223\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-03-24T18:06:24.575Z\", \"dateReserved\": \"2025-01-02T04:29:30.445Z\", \"assignerOrgId\": \"dcf2e128-44bd-42ed-91e8-88f912c1401d\", \"datePublished\": \"2025-03-24T17:42:49.634Z\", \"assignerShortName\": \"vmware\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
CERTFR-2025-AVI-0228
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans Spring Security. Elles permettent à un attaquant de provoquer un contournement de la politique de sécurité.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Spring | N/A | Security versions 6.1.x antérieures à 6.1.14 | ||
| Spring | N/A | Security versions 5.8.x antérieures à 5.8.18 | ||
| Spring | N/A | Security versions 5.7.x antérieures à 5.7.16 | ||
| Spring | N/A | Security versions 6.3.x antérieures à 6.3.8 | ||
| Spring | N/A | Security versions 6.0.x antérieures à 6.0.16 | ||
| Spring | N/A | Security versions 6.2.x antérieures à 6.2.10 | ||
| Spring | N/A | Security versions 6.4.x antérieures à 6.4.4 |
References
| Title | Publication Time | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Security versions 6.1.x ant\u00e9rieures \u00e0 6.1.14",
"product": {
"name": "N/A",
"vendor": {
"name": "Spring",
"scada": false
}
}
},
{
"description": "Security versions 5.8.x ant\u00e9rieures \u00e0 5.8.18",
"product": {
"name": "N/A",
"vendor": {
"name": "Spring",
"scada": false
}
}
},
{
"description": "Security versions 5.7.x ant\u00e9rieures \u00e0 5.7.16",
"product": {
"name": "N/A",
"vendor": {
"name": "Spring",
"scada": false
}
}
},
{
"description": "Security versions 6.3.x ant\u00e9rieures \u00e0 6.3.8",
"product": {
"name": "N/A",
"vendor": {
"name": "Spring",
"scada": false
}
}
},
{
"description": "Security versions 6.0.x ant\u00e9rieures \u00e0 6.0.16",
"product": {
"name": "N/A",
"vendor": {
"name": "Spring",
"scada": false
}
}
},
{
"description": "Security versions 6.2.x ant\u00e9rieures \u00e0 6.2.10",
"product": {
"name": "N/A",
"vendor": {
"name": "Spring",
"scada": false
}
}
},
{
"description": "Security versions 6.4.x ant\u00e9rieures \u00e0 6.4.4",
"product": {
"name": "N/A",
"vendor": {
"name": "Spring",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2025-22228",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22228"
},
{
"name": "CVE-2025-22223",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22223"
}
],
"links": [],
"reference": "CERTFR-2025-AVI-0228",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-03-20T00:00:00.000000"
}
],
"risks": [
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Spring Security. Elles permettent \u00e0 un attaquant de provoquer un contournement de la politique de s\u00e9curit\u00e9.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Spring Security",
"vendor_advisories": [
{
"published_at": "2025-03-19",
"title": "Bulletin de s\u00e9curit\u00e9 Spring cve-2025-22228",
"url": "https://spring.io/security/cve-2025-22228"
},
{
"published_at": "2025-03-19",
"title": "Bulletin de s\u00e9curit\u00e9 Spring cve-2025-22223",
"url": "https://spring.io/security/cve-2025-22223"
}
]
}
CERTFR-2025-AVI-0228
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans Spring Security. Elles permettent à un attaquant de provoquer un contournement de la politique de sécurité.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Spring | N/A | Security versions 6.1.x antérieures à 6.1.14 | ||
| Spring | N/A | Security versions 5.8.x antérieures à 5.8.18 | ||
| Spring | N/A | Security versions 5.7.x antérieures à 5.7.16 | ||
| Spring | N/A | Security versions 6.3.x antérieures à 6.3.8 | ||
| Spring | N/A | Security versions 6.0.x antérieures à 6.0.16 | ||
| Spring | N/A | Security versions 6.2.x antérieures à 6.2.10 | ||
| Spring | N/A | Security versions 6.4.x antérieures à 6.4.4 |
References
| Title | Publication Time | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Security versions 6.1.x ant\u00e9rieures \u00e0 6.1.14",
"product": {
"name": "N/A",
"vendor": {
"name": "Spring",
"scada": false
}
}
},
{
"description": "Security versions 5.8.x ant\u00e9rieures \u00e0 5.8.18",
"product": {
"name": "N/A",
"vendor": {
"name": "Spring",
"scada": false
}
}
},
{
"description": "Security versions 5.7.x ant\u00e9rieures \u00e0 5.7.16",
"product": {
"name": "N/A",
"vendor": {
"name": "Spring",
"scada": false
}
}
},
{
"description": "Security versions 6.3.x ant\u00e9rieures \u00e0 6.3.8",
"product": {
"name": "N/A",
"vendor": {
"name": "Spring",
"scada": false
}
}
},
{
"description": "Security versions 6.0.x ant\u00e9rieures \u00e0 6.0.16",
"product": {
"name": "N/A",
"vendor": {
"name": "Spring",
"scada": false
}
}
},
{
"description": "Security versions 6.2.x ant\u00e9rieures \u00e0 6.2.10",
"product": {
"name": "N/A",
"vendor": {
"name": "Spring",
"scada": false
}
}
},
{
"description": "Security versions 6.4.x ant\u00e9rieures \u00e0 6.4.4",
"product": {
"name": "N/A",
"vendor": {
"name": "Spring",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2025-22228",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22228"
},
{
"name": "CVE-2025-22223",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22223"
}
],
"links": [],
"reference": "CERTFR-2025-AVI-0228",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-03-20T00:00:00.000000"
}
],
"risks": [
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Spring Security. Elles permettent \u00e0 un attaquant de provoquer un contournement de la politique de s\u00e9curit\u00e9.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Spring Security",
"vendor_advisories": [
{
"published_at": "2025-03-19",
"title": "Bulletin de s\u00e9curit\u00e9 Spring cve-2025-22228",
"url": "https://spring.io/security/cve-2025-22228"
},
{
"published_at": "2025-03-19",
"title": "Bulletin de s\u00e9curit\u00e9 Spring cve-2025-22223",
"url": "https://spring.io/security/cve-2025-22223"
}
]
}
FKIE_CVE-2025-22223
Vulnerability from fkie_nvd - Published: 2025-03-24 18:15 - Updated: 2026-06-17 08:45
Severity
Summary
Spring Security 6.4.0 - 6.4.3 may not correctly locate method security annotations on parameterized types or methods. This may cause an authorization bypass.
You are not affected if you are not using @EnableMethodSecurity, or
you do not have method security annotations on parameterized types or methods, or all method security annotations are attached to target methods
References
Impacted products
| Vendor | Product | Version |
|---|
{
"affected": [
{
"affectedData": [
{
"defaultStatus": "unaffected",
"product": "Spring Security",
"vendor": "Spring",
"versions": [
{
"status": "affected",
"version": "6.4.0-6.4.3"
}
]
}
],
"source": "security@vmware.com"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Spring Security 6.4.0 - 6.4.3 may not correctly locate method security annotations on parameterized types or methods. This may cause an authorization bypass.\u00a0\n\nYou are not affected if you are not using @EnableMethodSecurity, or\nyou do not have method security annotations on parameterized types or methods, or all method security annotations are attached to target methods"
},
{
"lang": "es",
"value": "Es posible que Spring Security 6.4.0 - 6.4.3 no ubique correctamente las anotaciones de seguridad de m\u00e9todos en tipos o m\u00e9todos parametrizados. Esto puede provocar una omisi\u00f3n de autorizaci\u00f3n. Esto no se ve afectado si no utiliza @EnableMethodSecurity, si no tiene anotaciones de seguridad de m\u00e9todos en tipos o m\u00e9todos parametrizados, o si todas las anotaciones de seguridad de m\u00e9todos est\u00e1n asociadas a los m\u00e9todos de destino."
}
],
"id": "CVE-2025-22223",
"lastModified": "2026-06-17T08:45:42.900",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "security@vmware.com",
"type": "Secondary"
}
],
"ssvcV203": [
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"ssvcData": {
"id": "CVE-2025-22223",
"options": [
{
"exploitation": "none"
},
{
"automatable": "yes"
},
{
"technicalImpact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-24T18:04:57.845346Z",
"version": "2.0.3"
}
}
]
},
"published": "2025-03-24T18:15:22.673",
"references": [
{
"source": "security@vmware.com",
"url": "https://spring.io/security/cve-2025-22223"
}
],
"sourceIdentifier": "security@vmware.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-290"
}
],
"source": "security@vmware.com",
"type": "Secondary"
}
]
}
GHSA-HH3M-G4QJ-4835
Vulnerability from github – Published: 2025-03-24 18:31 – Updated: 2025-03-24 21:20
VLAI
Summary
Spring Security Vulnerable to Authorization Bypass via Security Annotations
Details
Spring Security 6.4.0 - 6.4.3 may not correctly locate method security annotations on parameterized types or methods. This may cause an authorization bypass.
You are not affected if you are not using @EnableMethodSecurity, or you do not have method security annotations on parameterized types or methods, or all method security annotations are attached to target methods
Severity
5.3 (Medium)
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.springframework.security:spring-security-core"
},
"ranges": [
{
"events": [
{
"introduced": "6.4.0"
},
{
"fixed": "6.4.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-22223"
],
"database_specific": {
"cwe_ids": [
"CWE-290"
],
"github_reviewed": true,
"github_reviewed_at": "2025-03-24T21:20:53Z",
"nvd_published_at": "2025-03-24T18:15:22Z",
"severity": "MODERATE"
},
"details": "Spring Security 6.4.0 - 6.4.3 may not correctly locate method security annotations on parameterized types or methods. This may cause an authorization bypass.\u00a0\n\nYou are not affected if you are not using @EnableMethodSecurity, or you do not have method security annotations on parameterized types or methods, or all method security annotations are attached to target methods",
"id": "GHSA-hh3m-g4qj-4835",
"modified": "2025-03-24T21:20:53Z",
"published": "2025-03-24T18:31:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22223"
},
{
"type": "WEB",
"url": "https://github.com/spring-projects/spring-security/commit/dc2e1af2dab8ef81cd4edd25b56a2babeaab8cf9"
},
{
"type": "PACKAGE",
"url": "https://github.com/spring-projects/spring-security"
},
{
"type": "WEB",
"url": "https://spring.io/security/cve-2025-22223"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Spring Security Vulnerable to Authorization Bypass via Security Annotations"
}
WID-SEC-W-2025-0602
Vulnerability from csaf_certbund - Published: 2025-03-19 23:00 - Updated: 2025-11-25 23:00Summary
VMware Tanzu Spring Security: Mehrere Schwachstellen ermöglichen Umgehen von Sicherheitsvorkehrungen
Severity
Mittel
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung: Spring Security ist ein Framework, das Authentifizierung, Autorisierung und Schutz vor gängigen Angriffen bietet.
Angriff: Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in VMware Tanzu Spring Security ausnutzen, um Sicherheitsvorkehrungen zu umgehen.
Betroffene Betriebssysteme: - Linux
- Sonstiges
- UNIX
- Windows
Affected products
Known affected
28 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat OpenShift Developer Tools and Services 4.14
Red Hat / OpenShift
|
cpe:/a:redhat:openshift:developer_tools_and_services_4.14
|
Developer Tools and Services 4.14 | |
|
NetApp ActiveIQ Unified Manager for VMware vSphere
NetApp / ActiveIQ Unified Manager
|
cpe:/a:netapp:active_iq_unified_manager:for_vmware_vsphere
|
for VMware vSphere | |
|
VMware Tanzu Spring Security <6.1.14
VMware Tanzu / Spring Security
|
<6.1.14 | ||
|
Hitachi Ops Center
Hitachi
|
cpe:/a:hitachi:ops_center:-
|
— | |
|
Atlassian Bamboo <10.2.4 (LTS)
Atlassian / Bamboo
|
<10.2.4 (LTS) | ||
|
Red Hat OpenShift Developer Tools and Services 4.16
Red Hat / OpenShift
|
cpe:/a:redhat:openshift:developer_tools_and_services_4.16
|
Developer Tools and Services 4.16 | |
|
Red Hat OpenShift Developer Tools and Services 4.18
Red Hat / OpenShift
|
cpe:/a:redhat:openshift:developer_tools_and_services_4.18
|
Developer Tools and Services 4.18 | |
|
Red Hat OpenShift Developer Tools and Services 4.17
Red Hat / OpenShift
|
cpe:/a:redhat:openshift:developer_tools_and_services_4.17
|
Developer Tools and Services 4.17 | |
|
NetApp ActiveIQ Unified Manager for Microsoft Windows
NetApp / ActiveIQ Unified Manager
|
cpe:/a:netapp:active_iq_unified_manager:for_microsoft_windows
|
for Microsoft Windows | |
|
VMware Tanzu Spring Security <6.0.16
VMware Tanzu / Spring Security
|
<6.0.16 | ||
|
IBM Operational Decision Manager
IBM
|
cpe:/a:ibm:operational_decision_manager:-
|
— | |
|
VMware Tanzu Spring Security <5.7.16
VMware Tanzu / Spring Security
|
<5.7.16 | ||
|
Atlassian Bitbucket <9.4.13 (LTS)
Atlassian / Bitbucket
|
<9.4.13 (LTS) | ||
|
Atlassian Bitbucket <8.19.25 (LTS)
Atlassian / Bitbucket
|
<8.19.25 (LTS) | ||
|
Atlassian Bitbucket <10.0.2
Atlassian / Bitbucket
|
<10.0.2 | ||
|
Red Hat Integration
Red Hat
|
cpe:/a:redhat:integration:-
|
— | |
|
NetApp ActiveIQ Unified Manager for Linux
NetApp / ActiveIQ Unified Manager
|
cpe:/a:netapp:active_iq_unified_manager:for_linux
|
for Linux | |
|
VMware Tanzu Spring Security <6.2.10
VMware Tanzu / Spring Security
|
<6.2.10 | ||
|
Open Source Camunda <7.23.0
Open Source / Camunda
|
<7.23.0 | ||
|
Open Source Camunda <7.22.4
Open Source / Camunda
|
<7.22.4 | ||
|
VMware Tanzu Spring Security <6.4.4
VMware Tanzu / Spring Security
|
<6.4.4 | ||
|
VMware Tanzu Spring Security <6.3.8
VMware Tanzu / Spring Security
|
<6.3.8 | ||
|
Red Hat OpenShift Developer Tools and Services 4.15
Red Hat / OpenShift
|
cpe:/a:redhat:openshift:developer_tools_and_services_4.15
|
Developer Tools and Services 4.15 | |
|
Atlassian Jira <10.7.2
Atlassian / Jira
|
<10.7.2 | ||
|
Red Hat OpenShift Developer Tools and Services 4.12
Red Hat / OpenShift
|
cpe:/a:redhat:openshift:developer_tools_and_services_4.12
|
Developer Tools and Services 4.12 | |
|
Atlassian Jira <9.12.25 (LTS)
Atlassian / Jira
|
<9.12.25 (LTS) | ||
|
Red Hat OpenShift Developer Tools and Services 4.13
Red Hat / OpenShift
|
cpe:/a:redhat:openshift:developer_tools_and_services_4.13
|
Developer Tools and Services 4.13 | |
|
Atlassian Jira <10.3.8 (LTS)
Atlassian / Jira
|
<10.3.8 (LTS) |
Affected products
Known affected
28 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat OpenShift Developer Tools and Services 4.14
Red Hat / OpenShift
|
cpe:/a:redhat:openshift:developer_tools_and_services_4.14
|
Developer Tools and Services 4.14 | |
|
NetApp ActiveIQ Unified Manager for VMware vSphere
NetApp / ActiveIQ Unified Manager
|
cpe:/a:netapp:active_iq_unified_manager:for_vmware_vsphere
|
for VMware vSphere | |
|
VMware Tanzu Spring Security <6.1.14
VMware Tanzu / Spring Security
|
<6.1.14 | ||
|
Hitachi Ops Center
Hitachi
|
cpe:/a:hitachi:ops_center:-
|
— | |
|
Atlassian Bamboo <10.2.4 (LTS)
Atlassian / Bamboo
|
<10.2.4 (LTS) | ||
|
Red Hat OpenShift Developer Tools and Services 4.16
Red Hat / OpenShift
|
cpe:/a:redhat:openshift:developer_tools_and_services_4.16
|
Developer Tools and Services 4.16 | |
|
Red Hat OpenShift Developer Tools and Services 4.18
Red Hat / OpenShift
|
cpe:/a:redhat:openshift:developer_tools_and_services_4.18
|
Developer Tools and Services 4.18 | |
|
Red Hat OpenShift Developer Tools and Services 4.17
Red Hat / OpenShift
|
cpe:/a:redhat:openshift:developer_tools_and_services_4.17
|
Developer Tools and Services 4.17 | |
|
NetApp ActiveIQ Unified Manager for Microsoft Windows
NetApp / ActiveIQ Unified Manager
|
cpe:/a:netapp:active_iq_unified_manager:for_microsoft_windows
|
for Microsoft Windows | |
|
VMware Tanzu Spring Security <6.0.16
VMware Tanzu / Spring Security
|
<6.0.16 | ||
|
IBM Operational Decision Manager
IBM
|
cpe:/a:ibm:operational_decision_manager:-
|
— | |
|
VMware Tanzu Spring Security <5.7.16
VMware Tanzu / Spring Security
|
<5.7.16 | ||
|
Atlassian Bitbucket <9.4.13 (LTS)
Atlassian / Bitbucket
|
<9.4.13 (LTS) | ||
|
Atlassian Bitbucket <8.19.25 (LTS)
Atlassian / Bitbucket
|
<8.19.25 (LTS) | ||
|
Atlassian Bitbucket <10.0.2
Atlassian / Bitbucket
|
<10.0.2 | ||
|
Red Hat Integration
Red Hat
|
cpe:/a:redhat:integration:-
|
— | |
|
NetApp ActiveIQ Unified Manager for Linux
NetApp / ActiveIQ Unified Manager
|
cpe:/a:netapp:active_iq_unified_manager:for_linux
|
for Linux | |
|
VMware Tanzu Spring Security <6.2.10
VMware Tanzu / Spring Security
|
<6.2.10 | ||
|
Open Source Camunda <7.23.0
Open Source / Camunda
|
<7.23.0 | ||
|
Open Source Camunda <7.22.4
Open Source / Camunda
|
<7.22.4 | ||
|
VMware Tanzu Spring Security <6.4.4
VMware Tanzu / Spring Security
|
<6.4.4 | ||
|
VMware Tanzu Spring Security <6.3.8
VMware Tanzu / Spring Security
|
<6.3.8 | ||
|
Red Hat OpenShift Developer Tools and Services 4.15
Red Hat / OpenShift
|
cpe:/a:redhat:openshift:developer_tools_and_services_4.15
|
Developer Tools and Services 4.15 | |
|
Atlassian Jira <10.7.2
Atlassian / Jira
|
<10.7.2 | ||
|
Red Hat OpenShift Developer Tools and Services 4.12
Red Hat / OpenShift
|
cpe:/a:redhat:openshift:developer_tools_and_services_4.12
|
Developer Tools and Services 4.12 | |
|
Atlassian Jira <9.12.25 (LTS)
Atlassian / Jira
|
<9.12.25 (LTS) | ||
|
Red Hat OpenShift Developer Tools and Services 4.13
Red Hat / OpenShift
|
cpe:/a:redhat:openshift:developer_tools_and_services_4.13
|
Developer Tools and Services 4.13 | |
|
Atlassian Jira <10.3.8 (LTS)
Atlassian / Jira
|
<10.3.8 (LTS) |
References
20 references
{
"document": {
"aggregate_severity": {
"text": "mittel"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Spring Security ist ein Framework, das Authentifizierung, Autorisierung und Schutz vor g\u00e4ngigen Angriffen bietet.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in VMware Tanzu Spring Security ausnutzen, um Sicherheitsvorkehrungen zu umgehen.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Linux\n- Sonstiges\n- UNIX\n- Windows",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2025-0602 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-0602.json"
},
{
"category": "self",
"summary": "WID-SEC-2025-0602 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-0602"
},
{
"category": "external",
"summary": "Spring Security 6.3.8 and 6.4.4 Release Notes vom 2025-03-19",
"url": "https://spring.io/blog/2025/03/19/spring-security-6-3-8-6-4-4-are-now-available"
},
{
"category": "external",
"summary": "CVE-2025-22223 Spring Security authorization bypass vom 2025-03-19",
"url": "https://spring.io/security/cve-2025-22223"
},
{
"category": "external",
"summary": "CVE-2025-22228 Spring Security BCryptPasswordEncoder does not enforce maximum password length vom 2025-03-19",
"url": "https://spring.io/security/cve-2025-22228"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:3543 vom 2025-04-02",
"url": "https://access.redhat.com/errata/RHSA-2025:3543"
},
{
"category": "external",
"summary": "Camunda Security Notices vom 2025-04-09",
"url": "https://docs.camunda.org/security/notices/#notice-133"
},
{
"category": "external",
"summary": "NetApp Security Advisory NTAP-20250425-0009 vom 2025-04-25",
"url": "https://security.netapp.com/advisory/ntap-20250425-0009/"
},
{
"category": "external",
"summary": "Atlassian Security Bulletin vom 2025-06-17",
"url": "https://confluence.atlassian.com/security/security-bulletin-june-17-2025-1574012717.html"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:10104 vom 2025-07-01",
"url": "https://access.redhat.com/errata/RHSA-2025:10104"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:10120 vom 2025-07-02",
"url": "https://access.redhat.com/errata/RHSA-2025:10120"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:10097 vom 2025-07-01",
"url": "https://access.redhat.com/errata/RHSA-2025:10097"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:10098 vom 2025-07-01",
"url": "https://access.redhat.com/errata/RHSA-2025:10098"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:10092 vom 2025-07-01",
"url": "https://access.redhat.com/errata/RHSA-2025:10092"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:10118 vom 2025-07-01",
"url": "https://access.redhat.com/errata/RHSA-2025:10118"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:10119 vom 2025-07-01",
"url": "https://access.redhat.com/errata/RHSA-2025:10119"
},
{
"category": "external",
"summary": "Atlassian Security Bulletin - July 15 2025",
"url": "https://confluence.atlassian.com/security/security-bulletin-july-15-2025-1590658642.html"
},
{
"category": "external",
"summary": "Hitachi Vulnerability Information HITACHI-SEC-2025-127 vom 2025-09-30",
"url": "https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2025-127/index.html"
},
{
"category": "external",
"summary": "Atlassian Security Bulletin - November 18 2025",
"url": "https://confluence.atlassian.com/security/security-bulletin-november-18-2025-1671463469.html"
},
{
"category": "external",
"summary": "IBM Security Bulletin 7252567 vom 2025-11-26",
"url": "https://www.ibm.com/support/pages/node/7252567"
}
],
"source_lang": "en-US",
"title": "VMware Tanzu Spring Security: Mehrere Schwachstellen erm\u00f6glichen Umgehen von Sicherheitsvorkehrungen",
"tracking": {
"current_release_date": "2025-11-25T23:00:00.000+00:00",
"generator": {
"date": "2025-11-26T11:10:25.898+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.5.0"
}
},
"id": "WID-SEC-W-2025-0602",
"initial_release_date": "2025-03-19T23:00:00.000+00:00",
"revision_history": [
{
"date": "2025-03-19T23:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2025-04-02T22:00:00.000+00:00",
"number": "2",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2025-04-08T22:00:00.000+00:00",
"number": "3",
"summary": "Neue Updates aufgenommen"
},
{
"date": "2025-04-27T22:00:00.000+00:00",
"number": "4",
"summary": "Neue Updates von NetApp aufgenommen"
},
{
"date": "2025-06-17T22:00:00.000+00:00",
"number": "5",
"summary": "Neue Updates von Atlassian aufgenommen"
},
{
"date": "2025-07-01T22:00:00.000+00:00",
"number": "6",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2025-07-15T22:00:00.000+00:00",
"number": "7",
"summary": "Neue Updates aufgenommen"
},
{
"date": "2025-09-29T22:00:00.000+00:00",
"number": "8",
"summary": "Neue Updates von HITACHI aufgenommen"
},
{
"date": "2025-11-18T23:00:00.000+00:00",
"number": "9",
"summary": "Neue Updates aufgenommen"
},
{
"date": "2025-11-25T23:00:00.000+00:00",
"number": "10",
"summary": "Neue Updates von IBM aufgenommen"
}
],
"status": "final",
"version": "10"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c10.2.4 (LTS)",
"product": {
"name": "Atlassian Bamboo \u003c10.2.4 (LTS)",
"product_id": "T044676"
}
},
{
"category": "product_version",
"name": "10.2.4 (LTS)",
"product": {
"name": "Atlassian Bamboo 10.2.4 (LTS)",
"product_id": "T044676-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:atlassian:bamboo:10.2.4::lts"
}
}
}
],
"category": "product_name",
"name": "Bamboo"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c10.0.2",
"product": {
"name": "Atlassian Bitbucket \u003c10.0.2",
"product_id": "T048675"
}
},
{
"category": "product_version",
"name": "10.0.2",
"product": {
"name": "Atlassian Bitbucket 10.0.2",
"product_id": "T048675-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:atlassian:bitbucket:10.0.2"
}
}
},
{
"category": "product_version_range",
"name": "\u003c8.19.25 (LTS)",
"product": {
"name": "Atlassian Bitbucket \u003c8.19.25 (LTS)",
"product_id": "T048676"
}
},
{
"category": "product_version",
"name": "8.19.25 (LTS)",
"product": {
"name": "Atlassian Bitbucket 8.19.25 (LTS)",
"product_id": "T048676-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:atlassian:bitbucket:8.19.25_%28lts%29"
}
}
},
{
"category": "product_version_range",
"name": "\u003c9.4.13 (LTS)",
"product": {
"name": "Atlassian Bitbucket \u003c9.4.13 (LTS)",
"product_id": "T048677"
}
},
{
"category": "product_version",
"name": "9.4.13 (LTS)",
"product": {
"name": "Atlassian Bitbucket 9.4.13 (LTS)",
"product_id": "T048677-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:atlassian:bitbucket:9.4.13_%28lts%29"
}
}
}
],
"category": "product_name",
"name": "Bitbucket"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c10.7.2",
"product": {
"name": "Atlassian Jira \u003c10.7.2",
"product_id": "T045453"
}
},
{
"category": "product_version",
"name": "10.7.2",
"product": {
"name": "Atlassian Jira 10.7.2",
"product_id": "T045453-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:atlassian:jira:10.7.2"
}
}
},
{
"category": "product_version_range",
"name": "\u003c10.3.8 (LTS)",
"product": {
"name": "Atlassian Jira \u003c10.3.8 (LTS)",
"product_id": "T045454"
}
},
{
"category": "product_version",
"name": "10.3.8 (LTS)",
"product": {
"name": "Atlassian Jira 10.3.8 (LTS)",
"product_id": "T045454-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:atlassian:jira:10.3.8_%28lts%29"
}
}
},
{
"category": "product_version_range",
"name": "\u003c9.12.25 (LTS)",
"product": {
"name": "Atlassian Jira \u003c9.12.25 (LTS)",
"product_id": "T045455"
}
},
{
"category": "product_version",
"name": "9.12.25 (LTS)",
"product": {
"name": "Atlassian Jira 9.12.25 (LTS)",
"product_id": "T045455-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:atlassian:jira:9.12.25_%28lts%29"
}
}
}
],
"category": "product_name",
"name": "Jira"
}
],
"category": "vendor",
"name": "Atlassian"
},
{
"branches": [
{
"category": "product_name",
"name": "Hitachi Ops Center",
"product": {
"name": "Hitachi Ops Center",
"product_id": "T038840",
"product_identification_helper": {
"cpe": "cpe:/a:hitachi:ops_center:-"
}
}
}
],
"category": "vendor",
"name": "Hitachi"
},
{
"branches": [
{
"category": "product_name",
"name": "IBM Operational Decision Manager",
"product": {
"name": "IBM Operational Decision Manager",
"product_id": "T005180",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:operational_decision_manager:-"
}
}
}
],
"category": "vendor",
"name": "IBM"
},
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "for Linux",
"product": {
"name": "NetApp ActiveIQ Unified Manager for Linux",
"product_id": "T023548",
"product_identification_helper": {
"cpe": "cpe:/a:netapp:active_iq_unified_manager:for_linux"
}
}
},
{
"category": "product_version",
"name": "for VMware vSphere",
"product": {
"name": "NetApp ActiveIQ Unified Manager for VMware vSphere",
"product_id": "T025152",
"product_identification_helper": {
"cpe": "cpe:/a:netapp:active_iq_unified_manager:for_vmware_vsphere"
}
}
},
{
"category": "product_version",
"name": "for Microsoft Windows",
"product": {
"name": "NetApp ActiveIQ Unified Manager for Microsoft Windows",
"product_id": "T025631",
"product_identification_helper": {
"cpe": "cpe:/a:netapp:active_iq_unified_manager:for_microsoft_windows"
}
}
}
],
"category": "product_name",
"name": "ActiveIQ Unified Manager"
}
],
"category": "vendor",
"name": "NetApp"
},
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c7.23.0",
"product": {
"name": "Open Source Camunda \u003c7.23.0",
"product_id": "T042687"
}
},
{
"category": "product_version",
"name": "7.23.0",
"product": {
"name": "Open Source Camunda 7.23.0",
"product_id": "T042687-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:camunda:camunda:7.23.0"
}
}
},
{
"category": "product_version_range",
"name": "\u003c7.22.4",
"product": {
"name": "Open Source Camunda \u003c7.22.4",
"product_id": "T042688"
}
},
{
"category": "product_version",
"name": "7.22.4",
"product": {
"name": "Open Source Camunda 7.22.4",
"product_id": "T042688-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:camunda:camunda:7.22.4"
}
}
}
],
"category": "product_name",
"name": "Camunda"
}
],
"category": "vendor",
"name": "Open Source"
},
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Integration",
"product": {
"name": "Red Hat Integration",
"product_id": "T033960",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:integration:-"
}
}
},
{
"branches": [
{
"category": "product_version",
"name": "Developer Tools and Services 4.14",
"product": {
"name": "Red Hat OpenShift Developer Tools and Services 4.14",
"product_id": "T031233",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:developer_tools_and_services_4.14"
}
}
},
{
"category": "product_version",
"name": "Developer Tools and Services 4.16",
"product": {
"name": "Red Hat OpenShift Developer Tools and Services 4.16",
"product_id": "T044977",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:developer_tools_and_services_4.16"
}
}
},
{
"category": "product_version",
"name": "Developer Tools and Services 4.17",
"product": {
"name": "Red Hat OpenShift Developer Tools and Services 4.17",
"product_id": "T044978",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:developer_tools_and_services_4.17"
}
}
},
{
"category": "product_version",
"name": "Developer Tools and Services 4.18",
"product": {
"name": "Red Hat OpenShift Developer Tools and Services 4.18",
"product_id": "T044979",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:developer_tools_and_services_4.18"
}
}
},
{
"category": "product_version",
"name": "Developer Tools and Services 4.15",
"product": {
"name": "Red Hat OpenShift Developer Tools and Services 4.15",
"product_id": "T044980",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:developer_tools_and_services_4.15"
}
}
},
{
"category": "product_version",
"name": "Developer Tools and Services 4.13",
"product": {
"name": "Red Hat OpenShift Developer Tools and Services 4.13",
"product_id": "T044981",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:developer_tools_and_services_4.13"
}
}
},
{
"category": "product_version",
"name": "Developer Tools and Services 4.12",
"product": {
"name": "Red Hat OpenShift Developer Tools and Services 4.12",
"product_id": "T044982",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:developer_tools_and_services_4.12"
}
}
}
],
"category": "product_name",
"name": "OpenShift"
}
],
"category": "vendor",
"name": "Red Hat"
},
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c6.4.4",
"product": {
"name": "VMware Tanzu Spring Security \u003c6.4.4",
"product_id": "T042062"
}
},
{
"category": "product_version",
"name": "6.4.4",
"product": {
"name": "VMware Tanzu Spring Security 6.4.4",
"product_id": "T042062-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:vmware_tanzu:spring_security:6.4.4"
}
}
},
{
"category": "product_version_range",
"name": "\u003c6.3.8",
"product": {
"name": "VMware Tanzu Spring Security \u003c6.3.8",
"product_id": "T042063"
}
},
{
"category": "product_version",
"name": "6.3.8",
"product": {
"name": "VMware Tanzu Spring Security 6.3.8",
"product_id": "T042063-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:vmware_tanzu:spring_security:6.3.8"
}
}
},
{
"category": "product_version_range",
"name": "\u003c6.2.10",
"product": {
"name": "VMware Tanzu Spring Security \u003c6.2.10",
"product_id": "T042069"
}
},
{
"category": "product_version",
"name": "6.2.10",
"product": {
"name": "VMware Tanzu Spring Security 6.2.10",
"product_id": "T042069-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:vmware_tanzu:spring_security:6.2.10"
}
}
},
{
"category": "product_version_range",
"name": "\u003c6.1.14",
"product": {
"name": "VMware Tanzu Spring Security \u003c6.1.14",
"product_id": "T042070"
}
},
{
"category": "product_version",
"name": "6.1.14",
"product": {
"name": "VMware Tanzu Spring Security 6.1.14",
"product_id": "T042070-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:vmware_tanzu:spring_security:6.1.14"
}
}
},
{
"category": "product_version_range",
"name": "\u003c6.0.16",
"product": {
"name": "VMware Tanzu Spring Security \u003c6.0.16",
"product_id": "T042071"
}
},
{
"category": "product_version",
"name": "6.0.16",
"product": {
"name": "VMware Tanzu Spring Security 6.0.16",
"product_id": "T042071-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:vmware_tanzu:spring_security:6.0.16"
}
}
},
{
"category": "product_version_range",
"name": "\u003c5.7.16",
"product": {
"name": "VMware Tanzu Spring Security \u003c5.7.16",
"product_id": "T042072"
}
},
{
"category": "product_version",
"name": "5.7.16",
"product": {
"name": "VMware Tanzu Spring Security 5.7.16",
"product_id": "T042072-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:vmware_tanzu:spring_security:5.7.16"
}
}
}
],
"category": "product_name",
"name": "Spring Security"
}
],
"category": "vendor",
"name": "VMware Tanzu"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-22223",
"product_status": {
"known_affected": [
"T031233",
"T025152",
"T042070",
"T038840",
"T044676",
"T044977",
"T044979",
"T044978",
"T025631",
"T042071",
"T005180",
"T042072",
"T048677",
"T048676",
"T048675",
"T033960",
"T023548",
"T042069",
"T042687",
"T042688",
"T042062",
"T042063",
"T044980",
"T045453",
"T044982",
"T045455",
"T044981",
"T045454"
]
},
"release_date": "2025-03-19T23:00:00.000+00:00",
"title": "CVE-2025-22223"
},
{
"cve": "CVE-2025-22228",
"product_status": {
"known_affected": [
"T031233",
"T025152",
"T042070",
"T038840",
"T044676",
"T044977",
"T044979",
"T044978",
"T025631",
"T042071",
"T005180",
"T042072",
"T048677",
"T048676",
"T048675",
"T033960",
"T023548",
"T042069",
"T042687",
"T042688",
"T042062",
"T042063",
"T044980",
"T045453",
"T044982",
"T045455",
"T044981",
"T045454"
]
},
"release_date": "2025-03-19T23:00:00.000+00:00",
"title": "CVE-2025-22228"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…