CVE-2022-22976: Integer overflow in BCrypt class in Spring Security

May 19, 2022 (updated February 3, 2023)

Spring Security versions 5.5.x prior to 5.5.7, 5.6.x prior to 5.6.4, and earlier unsupported versions contain an integer overflow vulnerability. When using the BCrypt class with the maximum work factor (31), the encoder does not perform any salt rounds, due to an integer overflow error. The default settings are not affected by this CVE.

References

github.com/advisories/GHSA-wx54-3278-m5g4
nvd.nist.gov/vuln/detail/CVE-2022-22976
tanzu.vmware.com/security/cve-2022-22976

Code Behaviors & Features

Detect and mitigate CVE-2022-22976 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →