CVE-2022-22976

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2022-22976
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-22976.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2022-22976
Aliases
Downstream
Published
2022-05-19T14:50:46Z
Modified
2026-06-26T03:54:46.342070663Z
Summary
[none]
Details

Spring Security versions 5.5.x prior to 5.5.7, 5.6.x prior to 5.6.4, and earlier unsupported versions contain an integer overflow vulnerability. When using the BCrypt class with the maximum work factor (31), the encoder does not perform any salt rounds, due to an integer overflow error. The default settings are not affected by this CVE.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/22xxx/CVE-2022-22976.json",
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "last_affected": "Spring Security versions 5.5.x prior to 5.5.7, 5.6.x prior to 5.6.4, and earlier unsupported versions"
                }
            ]
        }
    ],
    "cwe_ids": [
        "CWE-190"
    ],
    "cna_assigner": "vmware"
}
References

Affected packages

Git / github.com/spring-projects/spring-security

Affected ranges

Type
GIT
Repo
https://github.com/spring-projects/spring-security
Events
Introduced
8ce1ac3ec51e38c8b67dfb54d3623a38d26e635c
Fixed
ada333710470ae07b7e96aef1efc87d06006882c
Introduced
fa628f7491277c02c820eda6f8d13a98566dd6fa
Fixed
c2d2914a4f02ce38a307530229f2704e8849fd22
Introduced
0 Unknown introduced commit / All previous commits are affected
Database specific 
{
    "source": [
        "CPE_RANGE",
        "CPE_STRING"
    ],
    "cpe": [
        "cpe:2.3:a:vmware:spring_security:*:*:*:*:*:*:*:*",
        "cpe:2.3:a:vmware:spring_security:5.2.0:-:*:*:*:*:*:*"
    ],
    "extracted_events": [
        {
            "introduced": "5.2.1"
        },
        {
            "fixed": "5.5.7"
        },
        {
            "introduced": "5.6.0"
        },
        {
            "fixed": "5.6.4"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "5.2.0-NA"
        }
    ]
}

Affected versions

1.*
1.0.0
1.0.2
1.0.3
1.0.4
1.0.5
2.*
2.5.0.M1
3.*
3.0.0.M2
3.0.0.RC2
3.0.1.RELEASE
3.0.2.RELEASE
3.1.0.M1
3.1.0.M2
3.1.0.RC1
3.1.0.RC2
3.1.0.RC3
3.1.0.RELEASE
3.1.1.RELEASE
3.1.2.RELEASE
3.1.3.RELEASE
3.2.0.M2
4.*
4.1.0.RC1
4.1.0.RC2
4.1.0.RELEASE
4.1.1.RELEASE
4.2.0.M1
4.2.0.RC1
4.2.0.RELEASE
4.2.1.RELEASE
4.2.2.RELEASE
5.*
5.0.0.M1
5.0.0.M2
5.0.0.M3
5.0.0.M4
5.0.0.M5
5.0.0.RC1
5.0.0.RELEASE
5.0.1.RELEASE
5.0.2.RELEASE
5.0.3.RELEASE
5.1.0.M1
5.1.0.M2
5.1.0.RC2
5.1.0.RELEASE
5.1.1.RELEASE
5.2.0.M1
5.2.0.M2
5.2.0.M3
5.2.0.M4
5.2.0.RC1
5.2.0.RELEASE
5.3.0.M1
5.3.0.RC1
5.3.0.RELEASE
5.4.0
5.4.0-M1
5.4.0-M2
5.4.0-RC1
5.5.0
5.5.0-M1
5.5.0-M2
5.5.0-M3
5.5.0-RC1
5.5.0-RC2
5.5.1
5.5.2
5.5.3
5.5.4
5.5.5
5.5.6
5.6.0
5.6.1
5.6.2
5.6.3

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-22976.json"