org.springframework.security:spring-security-crypto is vulnerable to integer overflows. The encoder does not perform any salt rounds when the BCrypt
class is used with the maximum work factor(31), allowing a local authenticated attacker to cause an integer overflow error resulting in the attacker gaining access to sensitive user information.
github.com/spring-projects/spring-security/commit/0bd7daf899305eac4b2b0a070db8f9536ac384c5
github.com/spring-projects/spring-security/commit/a40f73521c0dd88b879ff6165d280e78bdf8154f
security.netapp.com/advisory/ntap-20220707-0003/
tanzu.vmware.com/security/cve-2022-22976
www.oracle.com/security-alerts/cpujul2022.html