.. _vulnerabilityManagement_securityAdvisory_2025_CVE-2025-22228:

CVE-2025-22228
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Data: 2025-03-20

Severity: High

CVSS Score:  7.4 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)

Riferimenti:  

- `https://nvd.nist.gov/vuln/detail/CVE-2025-22228 <https://nvd.nist.gov/vuln/detail/CVE-2025-22228>`_
- `https://ossindex.sonatype.org/vulnerability/CVE-2025-22228 <https://ossindex.sonatype.org/vulnerability/CVE-2025-22228>`_
- `https://spring.io/security/cve-2025-22228 <https://spring.io/security/cve-2025-22228>`_

Libreria: org.springframework.security:spring-security-crypto <= 5.8.17

**Descrizione**

CWE-287: Improper Authentication

BCryptPasswordEncoder.matches(CharSequence,String) will incorrectly return true for passwords larger than 72 characters as long as the first 72 characters are the same.

**GovWay**

Versione affette: <= 3.3.16

Risoluzione: 3.3.16.p1