.. _vulnerabilityManagement_skip_registry_33x_CVE-2025-22228:

CVE-2025-22228
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Data: 2025-04-03

Severity: High

CVSS Score:  7.4 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)

Riferimenti:  

- `https://nvd.nist.gov/vuln/detail/CVE-2025-22228 <https://nvd.nist.gov/vuln/detail/CVE-2025-22228>`_
- `https://ossindex.sonatype.org/vulnerability/CVE-2025-22228 <https://ossindex.sonatype.org/vulnerability/CVE-2025-22228>`_
- `https://spring.io/security/cve-2025-22228 <https://spring.io/security/cve-2025-22228>`_

Libreria: org.springframework.security:spring-security-crypto <= 5.8.17

**Descrizione**

CWE-287: Improper Authentication

BCryptPasswordEncoder.matches(CharSequence,String) will incorrectly return true for passwords larger than 72 characters as long as the first 72 characters are the same.

**Falso Positivo per GovWay**

Nel progetto viene utilizzata una versione ricompilata del jar:

- spring-security-crypto-5.8.16-gov4j-1.jar

La tag version '5.8.16 è stata modificata per riportare il `contenuto delle modifiche <https://github.com/spring-projects/spring-security/commit/46f0dc6dfc8402cd556c598fdf2d31f9d46cdbf3.diff>`_ evidenziate nel commit `46f0dc6 <https://github.com/spring-projects/spring-security/commit/46f0dc6dfc8402cd556c598fdf2d31f9d46cdbf3>`_ sul progetto github `spring-projects/spring-security <https://github.com/spring-projects/spring-security>`_.

All'interno dell'archivio jar è possibile trovare il file diff (crypto.patch) applicato sui sorgenti del tag '5.8.16' oltre ai sorgenti '\.java' della classe modificata.

Configuration File: `false-positive.xml <https://raw.githubusercontent.com/link-it/govway/master/mvn/dependencies/owasp/falsePositives/CVE-2025-22228.xml>`_