VDB
KO
MEDIUM 4.8

GHSA-x2wq-9x2f-fhj7

Spring Security Core has a TOCTOU race condition when One-Time Token login with JdbcOneTimeTokenService is configured

Details

Vulnerability in Spring Spring Security. Applications that explicitly configure One-Time Token login with JdbcOneTimeTokenService are vulnerable to a Time-of-check Time-of-use (TOCTOU) race condition. This issue affects Spring Security: from 6.4.0 through 6.4.15, from 6.5.0 through 6.5.9, from 7.0.0 through 7.0.4.

Are you affected?

Enter the version of the package you're using.

Affected packages

Maven / org.springframework.security:spring-security-core
Introduced in: 6.5.0 Fixed in: 6.5.10
Fix # pom.xml: bump <version>6.5.10</version> for org.springframework.security:spring-security-core
Maven / org.springframework.security:spring-security-core
Introduced in: 7.0.3 Fixed in: 7.0.5
Fix # pom.xml: bump <version>7.0.5</version> for org.springframework.security:spring-security-core
Maven / org.springframework.security:spring-security-core
Introduced in: 6.4.0

No fixed version published yet for org.springframework.security:spring-security-core (maven). Pin to a known-safe version or switch to an alternative.

References