Spring Security Vulnerability - CVE-2025-22228 for Nolio
search cancel

Spring Security Vulnerability - CVE-2025-22228 for Nolio

book

Article ID: 404607

calendar_today

Updated On:

Products

CA Release Automation - Release Operations Center (Nolio)

Issue/Introduction

Reported with High severity Vulnerabilities for Spring. When can we expect the next patch to be released so that we can remediate these vulnerabilities. 

Currently at 6.8.6.1562 version. 

Find below the vulnerability details. 

Full Name:

Spring Security 5.7 < 5.7.16 / 5.8 < 5.8.18 / 6.0 < 6.0.16 / 6.1 < 6.1.14 / 6.2 < 6.2.10 / 6.3 < 6.3.8 / 6.4 < 6.4.4 Authentication Bypass (CVE-2025-22228) - The remote host contains a web application framework that is affected by an authentication bypass vulnerability.

Details:

The remote host contains a Spring Security version that is 5.7 prior to 5.7.16, 5.8 prior to 5.8.18, 6.0 prior to 6.0.16, 6.1 prior to 6.1.14, 6.2 prior to 6.2.10, or 6.3 prior to 6.3.8, 6.4 prior to 6.4.4. It may, therefore, be affected by an authentication bypass vulnerability. BCryptPasswordEncoder.matches(CharSequence,String) will incorrectly return true for passwords larger than 72 characters as long as the first 72 characters are the same.
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Path : /apps/nolio/mgt_server/webapps/nolio-app/WEB-INF/lib/spring-security-core-5.7.13.jar
Installed version : 5.7.13
Fixed version : 5.7.16

Path : /apps/nolio/mgt_server/webapps/nolio-app/apps/v2.0.0/lib/spring-security-core-5.7.13.jar
Installed version : 5.7.13
Fixed version : 5.7.16

Path : /apps/nolio/mgt_server/webapps/datamanagement/WEB-INF/lib/spring-security-core-5.7.13.jar
Installed version : 5.7.13
Fixed version : 5.7.16

Path : /apps/nolio/mgt_server/webapps/execution/WEB-INF/lib/spring-security-core-5.7.13.jar
Installed version : 5.7.13
Fixed version : 5.7.16

 

Environment

Nolio 6.8.x and 6.9.x

Cause

Third Party Spring Vulnerability

Resolution

Technically Nolio Release Automation is not impacted by this vulnerability because the CVE reports the problem in BCryptPasswordEncoder.matches(CharSequence,String) method in particular which is not used in Nolio. 

However, we're going to include Spring version that has got the fix for this vulnerability in the next cumulative update for both 6.8 and 6.9.

As of 18 Jul 2025, the 6.8.7 patch build having this fix is "tentatively" planned for end of August.

Powered by Wolken Software