CVE-2025-22228 - Vulnerability Details

BCryptPasswordEncoder.matches(CharSequence,String) will incorrectly return true for passwords larger than 72 characters as long as the first 72 characters are the same.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Redhat	Apache Camel Spring Boot

No data.

Package	CPE	Advisory	Released Date
Red Hat build of Apache Camel 4.8.5 for Spring Boot
spring-security-core	cpe:/a:redhat:apache_camel_spring_boot:4.8.5	RHSA-2025:3543	2025-04-02T00:00:00Z

References

Link	Providers
https://nvd.nist.gov/vuln/detail/CVE-2025-22228
https://spring.io/security/cve-2025-22228
https://www.cve.org/CVERecord?id=CVE-2025-22228

History

Thu, 03 Apr 2025 03:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat Redhat apache Camel Spring Boot
CPEs		cpe:/a:redhat:apache_camel_spring_boot:4.8.5
Vendors & Products		Redhat Redhat apache Camel Spring Boot

Fri, 21 Mar 2025 16:15:00 +0000

Type	Values Removed	Values Added
Metrics	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 21 Mar 2025 03:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-863
References		https://nvd.nist.gov/vuln/detail/CVE-2025-22228 https://www.cve.org/CVERecord?id=CVE-2025-22228
Metrics	threat_severity `None`	threat_severity `Important`

Thu, 20 Mar 2025 18:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-287
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 20 Mar 2025 06:00:00 +0000

Type	Values Removed	Values Added
Description		BCryptPasswordEncoder.matches(CharSequence,String) will incorrectly return true for passwords larger than 72 characters as long as the first 72 characters are the same.
Title		CVE-2025-22228: Spring Security BCryptPasswordEncoder does not enforce maximum password length
References		https://spring.io/security/cve-2025-22228
Metrics		cvssV3_1 `{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N'}`

MITRE

Status: PUBLISHED

Assigner: vmware

Published: 2025-03-20T05:49:19.275Z

Updated: 2025-03-21T16:09:31.664Z

Reserved: 2025-01-02T04:29:59.191Z

Link: CVE-2025-22228

Vulnrichment

Updated: 2025-03-20T17:47:51.495Z

NVD

Status : Awaiting Analysis

Published: 2025-03-20T06:15:23.087

Modified: 2025-03-20T18:15:18.663

Link: CVE-2025-22228

Redhat

Severity : Important

Publid Date: 2025-03-20T05:49:19Z

Links: CVE-2025-22228 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-22228", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "state": "PUBLISHED", "assignerShortName": "vmware", "dateReserved": "2025-01-02T04:29:59.191Z", "datePublished": "2025-03-20T05:49:19.275Z", "dateUpdated": "2025-03-21T16:09:31.664Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "packageName": "Spring Security", "product": "Spring Security", "vendor": "Spring", "versions": [{"lessThan": "5.7.16", "status": "affected", "version": "5.7.x", "versionType": "Enterprise Support Only"}, {"lessThan": "5.8.18", "status": "affected", "version": "5.8.x", "versionType": "Enterprise Support Only"}, {"lessThan": "6.0.16", "status": "affected", "version": "6.0.x", "versionType": "Enterprise Support Only"}, {"lessThan": "6.1.14", "status": "affected", "version": "6.1.x", "versionType": "Enterprise Support Only"}, {"lessThan": "6.2.10", "status": "affected", "version": "6.2.x", "versionType": "Enterprise Support Only"}, {"lessThan": "6.3.8", "status": "affected", "version": "6.3.x", "versionType": "OSS"}, {"lessThan": "6.4.4", "status": "affected", "version": "6.4.x", "versionType": "OSS"}]}], "datePublic": "2025-03-19T08:44:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<code>BCryptPasswordEncoder.matches(CharSequence,String)</code> will incorrectly return <code>true</code> for passwords larger than 72 characters as long as the first 72 characters are the same. "}], "value": "BCryptPasswordEncoder.matches(CharSequence,String)\u00a0will incorrectly return true\u00a0for passwords larger than 72 characters as long as the first 72 characters are the same."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2025-03-20T05:49:19.275Z"}, "references": [{"url": "https://spring.io/security/cve-2025-22228"}], "source": {"discovery": "UNKNOWN"}, "title": "CVE-2025-22228: Spring Security BCryptPasswordEncoder does not enforce maximum password length", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-287", "lang": "en", "description": "CWE-287 Improper Authentication"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-21T03:55:17.357088Z", "id": "CVE-2025-22228", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-21T16:09:31.664Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-22228", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-03-21T03:55:17.357088Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-287", "description": "CWE-287 Improper Authentication"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-20T17:47:51.495Z"}}], "cna": {"title": "CVE-2025-22228: Spring Security BCryptPasswordEncoder does not enforce maximum password length", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Spring", "product": "Spring Security", "versions": [{"status": "affected", "version": "5.7.x", "lessThan": "5.7.16", "versionType": "Enterprise Support Only"}, {"status": "affected", "version": "5.8.x", "lessThan": "5.8.18", "versionType": "Enterprise Support Only"}, {"status": "affected", "version": "6.0.x", "lessThan": "6.0.16", "versionType": "Enterprise Support Only"}, {"status": "affected", "version": "6.1.x", "lessThan": "6.1.14", "versionType": "Enterprise Support Only"}, {"status": "affected", "version": "6.2.x", "lessThan": "6.2.10", "versionType": "Enterprise Support Only"}, {"status": "affected", "version": "6.3.x", "lessThan": "6.3.8", "versionType": "OSS"}, {"status": "affected", "version": "6.4.x", "lessThan": "6.4.4", "versionType": "OSS"}], "packageName": "Spring Security", "defaultStatus": "affected"}], "datePublic": "2025-03-19T08:44:00.000Z", "references": [{"url": "https://spring.io/security/cve-2025-22228"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "BCryptPasswordEncoder.matches(CharSequence,String)\u00a0will incorrectly return true\u00a0for passwords larger than 72 characters as long as the first 72 characters are the same.", "supportingMedia": [{"type": "text/html", "value": "<code>BCryptPasswordEncoder.matches(CharSequence,String)</code> will incorrectly return <code>true</code> for passwords larger than 72 characters as long as the first 72 characters are the same. ", "base64": false}]}], "providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2025-03-20T05:49:19.275Z"}}}, "cveMetadata": {"cveId": "CVE-2025-22228", "state": "PUBLISHED", "dateUpdated": "2025-03-21T16:09:31.664Z", "dateReserved": "2025-01-02T04:29:59.191Z", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "datePublished": "2025-03-20T05:49:19.275Z", "assignerShortName": "vmware"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "BCryptPasswordEncoder.matches(CharSequence,String)\u00a0will incorrectly return true\u00a0for passwords larger than 72 characters as long as the first 72 characters are the same."}], "id": "CVE-2025-22228", "lastModified": "2025-03-20T18:15:18.663", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.2, "source": "security@vmware.com", "type": "Secondary"}]}, "published": "2025-03-20T06:15:23.087", "references": [{"source": "security@vmware.com", "url": "https://spring.io/security/cve-2025-22228"}], "sourceIdentifier": "security@vmware.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2025:3543", "cpe": "cpe:/a:redhat:apache_camel_spring_boot:4.8.5", "package": "spring-security-core", "product_name": "Red Hat build of Apache Camel 4.8.5 for Spring Boot", "release_date": "2025-04-02T00:00:00Z"}], "bugzilla": {"description": "spring-security-core: Spring Security BCryptPasswordEncoder does not enforce maximum password length", "id": "2353507", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2353507"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "status": "verified"}, "cwe": "CWE-863", "details": ["BCryptPasswordEncoder.matches(CharSequence,String)\u00a0will incorrectly return true\u00a0for passwords larger than 72 characters as long as the first 72 characters are the same.", "A flaw was found in the spring-security-core password encoder. This vulnerability allows incorrect password matching via input manipulation."], "mitigation": {"lang": "en:us", "value": "Red Hat Product Security does not have a recommended mitigation at this time."}, "name": "CVE-2025-22228", "package_state": [{"cpe": "cpe:/a:redhat:a_mq_clients:2", "fix_state": "Out of support scope", "package_name": "spring-security-core", "product_name": "A-MQ Clients 2"}, {"cpe": "cpe:/a:redhat:ocp_tools", "fix_state": "Affected", "package_name": "jenkins", "product_name": "OpenShift Developer Tools and Services"}, {"cpe": "cpe:/a:redhat:quarkus:3", "fix_state": "Not affected", "package_name": "quarkus-bom", "product_name": "Red Hat build of Quarkus"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Will not fix", "package_name": "spring-security-core", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Will not fix", "package_name": "org.apache.servicemix.bundles.spring-security-core", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Will not fix", "package_name": "spring-security-core", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Will not fix", "package_name": "spring-security-core", "product_name": "Red Hat Integration Camel K 1"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Not affected", "package_name": "spring-security-core", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "spring-security-core", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "spring-security-core", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Will not fix", "package_name": "spring-security-core", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Affected", "package_name": "spring-security-core", "product_name": "Red Hat Single Sign-On 7"}, {"cpe": "cpe:/a:redhat:amq_streams:1", "fix_state": "Affected", "package_name": "spring-security-core", "product_name": "streams for Apache Kafka"}], "public_date": "2025-03-20T05:49:19Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-22228\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-22228\nhttps://spring.io/security/cve-2025-22228"], "threat_severity": "Important"}

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object