CVE-2022-22976 — Integer overflow in BCrypt class in Spring Security

Description

Spring Security versions 5.5.x prior to 5.5.7, 5.6.x prior to 5.6.4, and earlier unsupported versions contain an integer overflow vulnerability. When using the BCrypt class with the maximum work factor (31), the encoder does not perform any salt rounds, due to an integer overflow error. The default settings are not affected by this CVE.

How to fix CVE-2022-22976

To remediate CVE-2022-22976, upgrade the affected package to a fixed version below.

—upgrade to 5.5.7 or later

Is CVE-2022-22976 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 5.2.0.RELEASE, < 5.5.7

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References (7)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-22976
PATCHgithub.com/spring-projects/spring-security
WEBgithub.com/spring-projects/spring-security/commit/388a7b62b906bd56deadb7ca45248fa1a63bdf12
WEBgithub.com/spring-projects/spring-security/commit/a40f73521c0dd88b879ff6165d280e78bdf8154f