Vulnerability in Spring Security 5.1.1 

Issue date: 29-04-2019
Affects versions: 13.0

Issue ID: SECURITY-100

Affected Product Version(s)





Spring Security versions 5.1.x prior to 5.1.2 contain an authorization bypass vulnerability during JWT issuer validation. In order to be impacted, the same private key for an honest issuer and a malicious user must be used when signing JWTs. In that case, a malicious user could fashion signed JWTs with the malicious issuer URL that may be granted for the honest issuer.



Every customer using CRISP is strongly advised to upgrade as soon as possible to the latest maintenance release as indicated above, or higher. This can be done by simply incrementing the version number of the parent POM for the implementation project.