Home
MEDIUM: 6.8 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:NDefault status
unaffected
5.7.0 (custom) before 5.7.25
affected
5.8.0 (custom) before 5.8.27
affected
6.3.0 (custom) before 6.3.18
affected
6.4.0 (custom) before 6.4.18
affected
6.5.0 (custom) before 6.5.11
affected
Description
SubjectDnX509PrincipalExtractor does not correctly handle certain malformed X.509 certificate CN values, which can lead to reading the wrong value for the username. In a carefully crafted certificate, this can lead to an attacker impersonating another user. Affected versions: Spring Security 5.7.0 through 5.7.24; 5.8.0 through 5.8.26; 6.3.0 through 6.3.17; 6.4.0 through 6.4.17; 6.5.0 through 6.5.10.
Problem types
CWE-287: Improper Authentication
Product status
5.7.0 (custom) before 5.7.25
5.8.0 (custom) before 5.8.27
6.3.0 (custom) before 6.3.18
6.4.0 (custom) before 6.4.18
6.5.0 (custom) before 6.5.11
References
spring.io/security/cve-2026-47838