CVE-2025-22228

Data: 2025-03-20

Severity: High

CVSS Score: 7.4 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)

Riferimenti:

• https://nvd.nist.gov/vuln/detail/CVE-2025-22228

• https://ossindex.sonatype.org/vulnerability/CVE-2025-22228

• https://spring.io/security/cve-2025-22228

Libreria: org.springframework.security:spring-security-crypto <= 5.8.17

Descrizione

CWE-287: Improper Authentication

BCryptPasswordEncoder.matches(CharSequence,String) will incorrectly return true for passwords larger than 72 characters as long as the first 72 characters are the same.

GovWay

Versione affette: <= 3.3.16

Risoluzione: 3.3.16.p1