Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2026/VULN327 _____________________________________________________________________ DATE : 23/03/2026 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Spring Security versions prior to 1.7-rc5, 1.6.14, 1.5.14. ===================================================================== https://spring.io/security/cve-2026-22732/ _____________________________________________________________________ cve-2026-22732: Under Some Conditions Spring Security HTTP Headers Are not Written CRITICAL | MARCH 19, 2026 | CVE-2026-22732 Description When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written. This can open up applications to various attacks including exposing sensitive data via caching mechanisms. Affected Spring Products and Versions Spring Security: 5.7.0 - 5.7.21 5.8.0 - 5.8.23 6.3.0 - 6.3.14 6.4.0 - 6.4.14 6.5.0 - 6.5.8 7.0.0 - 7.0.3 Older, unsupported versions may also be affected Mitigation Users of affected versions should upgrade to the corresponding fixed version. Affected version(s) Fix version Availability 5.7.21 5.7.22 Enterprise Support Only 5.8.23 5.8.24 Enterprise Support Only 6.3.14 6.3.15 Enterprise Support Only 6.4.14 6.4.15 Enterprise Support Only 6.5.8 6.5.9 OSS 7.0.3 7.0.4 OSS Credit The issue was identified and responsibly reported by Wyfrel. References https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N&version=3.1 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================