{ "threat_severity" : "Important", "public_date" : "2025-03-20T05:49:19Z", "bugzilla" : { "description" : "spring-security-core: Spring Security BCryptPasswordEncoder does not enforce maximum password length", "id" : "2353507", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2353507" }, "cvss3" : { "cvss3_base_score" : "7.4", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "status" : "verified" }, "cwe" : "CWE-863", "details" : [ "BCryptPasswordEncoder.matches(CharSequence,String) will incorrectly return true for passwords larger than 72 characters as long as the first 72 characters are the same.", "A flaw was found in the spring-security-core password encoder. This vulnerability allows incorrect password matching via input manipulation." ], "affected_release" : [ { "product_name" : "OCP-Tools-4.12-RHEL-8", "release_date" : "2025-07-01T00:00:00Z", "advisory" : "RHSA-2025:10118", "cpe" : "cpe:/a:redhat:ocp_tools:4.12::el8", "package" : "jenkins-0:2.504.2.1750932984-3.el8" }, { "product_name" : "OCP-Tools-4.12-RHEL-8", "release_date" : "2025-07-01T00:00:00Z", "advisory" : "RHSA-2025:10118", "cpe" : "cpe:/a:redhat:ocp_tools:4.12::el8", "package" : "jenkins-2-plugins-0:4.12.1750933270-1.el8" }, { "product_name" : "OCP-Tools-4.13-RHEL-8", "release_date" : "2025-07-01T00:00:00Z", "advisory" : "RHSA-2025:10119", "cpe" : "cpe:/a:redhat:ocp_tools:4.13::el8", "package" : "jenkins-0:2.504.2.1750916374-3.el8" }, { "product_name" : "OCP-Tools-4.13-RHEL-8", "release_date" : "2025-07-01T00:00:00Z", "advisory" : "RHSA-2025:10119", "cpe" : "cpe:/a:redhat:ocp_tools:4.13::el8", "package" : "jenkins-2-plugins-0:4.13.1750916671-1.el8" }, { "product_name" : "OCP-Tools-4.14-RHEL-8", "release_date" : "2025-07-01T00:00:00Z", "advisory" : "RHSA-2025:10120", "cpe" : "cpe:/a:redhat:ocp_tools:4.14::el8", "package" : "jenkins-0:2.504.2.1750903189-3.el8" }, { "product_name" : "OCP-Tools-4.14-RHEL-8", "release_date" : "2025-07-01T00:00:00Z", "advisory" : "RHSA-2025:10120", "cpe" : "cpe:/a:redhat:ocp_tools:4.14::el8", "package" : "jenkins-2-plugins-0:4.14.1750903529-1.el8" }, { "product_name" : "OCP-Tools-4.15-RHEL-8", "release_date" : "2025-07-01T00:00:00Z", "advisory" : "RHSA-2025:10104", "cpe" : "cpe:/a:redhat:ocp_tools:4.15::el8", "package" : "jenkins-0:2.504.2.1750856366-3.el8" }, { "product_name" : "OCP-Tools-4.15-RHEL-8", "release_date" : "2025-07-01T00:00:00Z", "advisory" : "RHSA-2025:10104", "cpe" : "cpe:/a:redhat:ocp_tools:4.15::el8", "package" : "jenkins-2-plugins-0:4.15.1750856638-1.el8" }, { "product_name" : "OCP-Tools-4.16-RHEL-9", "release_date" : "2025-07-01T00:00:00Z", "advisory" : "RHSA-2025:10098", "cpe" : "cpe:/a:redhat:ocp_tools:4.16::el9", "package" : "jenkins-0:2.504.2.1750857144-3.el9" }, { "product_name" : "OCP-Tools-4.16-RHEL-9", "release_date" : "2025-07-01T00:00:00Z", "advisory" : "RHSA-2025:10098", "cpe" : "cpe:/a:redhat:ocp_tools:4.16::el9", "package" : "jenkins-2-plugins-0:4.16.1750857315-1.el9" }, { "product_name" : "OCP-Tools-4.17-RHEL-9", "release_date" : "2025-07-01T00:00:00Z", "advisory" : "RHSA-2025:10097", "cpe" : "cpe:/a:redhat:ocp_tools:4.17::el9", "package" : "jenkins-0:2.504.2.1750851690-3.el9" }, { "product_name" : "OCP-Tools-4.17-RHEL-9", "release_date" : "2025-07-01T00:00:00Z", "advisory" : "RHSA-2025:10097", "cpe" : "cpe:/a:redhat:ocp_tools:4.17::el9", "package" : "jenkins-2-plugins-0:4.17.1750851950-1.el9" }, { "product_name" : "OCP-Tools-4.18-RHEL-9", "release_date" : "2025-07-01T00:00:00Z", "advisory" : "RHSA-2025:10092", "cpe" : "cpe:/a:redhat:ocp_tools:4.18::el9", "package" : "jenkins-0:2.504.2.1750846524-3.el9" }, { "product_name" : "OCP-Tools-4.18-RHEL-9", "release_date" : "2025-07-01T00:00:00Z", "advisory" : "RHSA-2025:10092", "cpe" : "cpe:/a:redhat:ocp_tools:4.18::el9", "package" : "jenkins-2-plugins-0:4.18.1750846854-1.el9" }, { "product_name" : "Red Hat build of Apache Camel 4.8.5 for Spring Boot", "release_date" : "2025-04-02T00:00:00Z", "advisory" : "RHSA-2025:3543", "cpe" : "cpe:/a:redhat:apache_camel_spring_boot:4.8.5", "package" : "spring-security-core" } ], "package_state" : [ { "product_name" : "A-MQ Clients 2", "fix_state" : "Out of support scope", "package_name" : "spring-security-core", "cpe" : "cpe:/a:redhat:a_mq_clients:2" }, { "product_name" : "Red Hat build of Quarkus", "fix_state" : "Not affected", "package_name" : "quarkus-bom", "cpe" : "cpe:/a:redhat:quarkus:3" }, { "product_name" : "Red Hat Data Grid 8", "fix_state" : "Will not fix", "package_name" : "spring-security-core", "cpe" : "cpe:/a:redhat:jboss_data_grid:8" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Will not fix", "package_name" : "org.apache.servicemix.bundles.spring-security-core", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Will not fix", "package_name" : "spring-security-core", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat Integration Camel K 1", "fix_state" : "Will not fix", "package_name" : "spring-security-core", "cpe" : "cpe:/a:redhat:integration:1" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "fix_state" : "Not affected", "package_name" : "spring-security-core", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8", "fix_state" : "Not affected", "package_name" : "spring-security-core", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Not affected", "package_name" : "spring-security-core", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat Process Automation 7", "fix_state" : "Will not fix", "package_name" : "spring-security-core", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" }, { "product_name" : "Red Hat Single Sign-On 7", "fix_state" : "Not affected", "package_name" : "spring-security-core", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7" }, { "product_name" : "streams for Apache Kafka", "fix_state" : "Will not fix", "package_name" : "spring-security-core", "cpe" : "cpe:/a:redhat:amq_streams:1" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-22228\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-22228\nhttps://spring.io/security/cve-2025-22228" ], "name" : "CVE-2025-22228", "mitigation" : { "value" : "Red Hat Product Security does not have a recommended mitigation at this time.", "lang" : "en:us" }, "csaw" : false }