CVE-2011-2731

EPSS 0.23%

Concurrent Execution using Shared Resource with Improper Synchronization in Spring Security

Published: 5/17/2022Modified: 12/7/2024

Description

Race condition in the RunAsManager mechanism in VMware SpringSource Spring Security before 2.0.7 and 3.0.x before 3.0.6 stores the Authentication object in the shared security context, which allows attackers to gain privileges via a crafted thread.

Affected packages (1)

Maven/org.springframework.security:spring-security-corefrom 0, < 2.0.7

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2011-2731
PATCHhttps://github.com/spring-projects/spring-security
WEBhttp://bugs.debian.org/cgi-bin/bugreport.cgi?bug=677814
WEBhttp://support.springsource.com/security/cve-2011-2731