A vulnerability exists in multiple NetApp products that use Spring Security, specifically in versions 5.7.0 through 5.7.15, 5.8.0 through 5.8.17, 6.0.0 through 6.0.15, 6.1.0 through 6.1.13, 6.2.0 through 6.2.9, 6.3.0 through 6.3.7, and 6.4.0 through 6.4.3, as well as older, unsupported versions. The issue arises because the BCryptPasswordEncoder.matches method does not properly enforce a maximum password length. It incorrectly returns true for passwords longer than 72 characters, provided the first 72 characters match. This flaw could lead to the unintended validation of passwords, potentially allowing for unauthorized access or manipulation of data.
Exploitation of this vulnerability could result in the incorrect validation of passwords, leading to unauthorized access or modification of data.
Users of affected Spring Security versions should upgrade to 5.7.16, 5.8.18, 6.0.16, 6.1.14, 6.2.10, 6.3.8, or 6.4.4, depending on their current version. Instructions for upgrading are available through NetApp's Enterprise Support.
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.
