Bug 2087214 (CVE-2022-22976)
Summary: | CVE-2022-22976 springframework: BCrypt skips salt rounds for work factor of 31 | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Sandipan Roy <saroy> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | abenaiss, aboyko, aileenc, alazarot, anstephe, asoldano, avibelli, bbaranow, bgeorges, bmaxwell, boliveir, brian.stansberry, cdewolf, chazlett, clement.escoffier, cmoulliard, dandread, darran.lofthouse, dchen, dkreling, dosoudil, drieden, ellin, emingora, etirelli, extras-orphan, fjuma, ggaughan, gmalinko, gsmet, hamadhan, hbraun, ibek, ikanello, iweiss, janstey, java-sig-commits, jnethert, jochrist, jolee, jrokos, jross, jschatte, jstastny, jwon, krathod, kverlaen, lgao, lthon, mnovotny, mosmerov, msochure, msvehla, mszynkie, nwallace, pantinor, pdelbell, pdrozd, peholase, pgallagh, pjindal, pmackay, probinso, pskopek, puntogil, rareddy, rguimara, rrajasek, rruss, rstancel, rsvoboda, sbiarozk, scorneli, sdouglas, shbose, smaestri, sthorger, swoodman, tom.jenkinson, tzimanyi |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | spring-security 5.5.7, spring-security 5.6.4, spring-security 5.7.0 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in Spring Framework. The encoder does not perform any salt rounds when using the BCrypt class with the maximum work factor (31) due to an integer overflow error.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2022-07-07 20:39:18 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2087921 | ||
Bug Blocks: | 2087215 |
Description
Sandipan Roy
2022-05-17 15:21:34 UTC
Created springframework tracking bugs for this issue: Affects: fedora-all [bug 2087921] This issue has been addressed in the following products: Red Hat Fuse 7.11 Via RHSA-2022:5532 https://access.redhat.com/errata/RHSA-2022:5532 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-22976 This issue has been addressed in the following products: OpenShift Developer Tools and Services for OCP 4.11 Via RHSA-2023:3663 https://access.redhat.com/errata/RHSA-2023:3663 |