SB2026052513 - Multiple vulnerabilities in IBM Library Support for Spring

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026052513

SB2026052513 - Multiple vulnerabilities in IBM Library Support for Spring

Published: May 25, 2026

Security Bulletin ID SB2026052513
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 9
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 56% Low 44%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 9 vulnerabilities.


1) Information Exposure Through Timing Discrepancy (CVE-ID: CVE-2026-40972)

CWE-ID: CWE-208 - Information Exposure Through Timing Discrepancy

CVSSv4: CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to observable timing discrepancies in DevTools remote secret comparison when validating the remote secret over an adjacent network. A remote attacker can measure response timing to discover the secret and execute arbitrary code.

Exploitation is limited to attackers on the same network as the remote application, and successful secret recovery may allow uploading changed classes.


2) Improper access control (CVE-ID: CVE-2026-40973)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to disclose sensitive information, hijack authenticated users, or execute arbitrary code.

The vulnerability exists due to improper access control in ApplicationTemp when using a predictable temporary directory for persistent session storage without ownership verification. A local user can take control of the directory used by ApplicationTemp to disclose sensitive information, hijack authenticated users, or execute arbitrary code.

Exploitation requires server.servlet.session.persistent to be set to true and the attack to persist across application restarts.


3) Improper validation of certificate with host mismatch (CVE-ID: CVE-2026-40974)

CWE-ID: CWE-297 - Improper Validation of Certificate with Host Mismatch

CVSSv4: CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to compromise the confidentiality, integrity, and availability of data in transit.

The vulnerability exists due to improper certificate validation in Cassandra SSL auto-configuration when establishing an SSL connection to Cassandra. A remote attacker can intercept a connection on the local network to compromise the confidentiality, integrity, and availability of data in transit.


4) Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) (CVE-ID: CVE-2026-40975)

CWE-ID: CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to disclose sensitive information and compromise integrity of secret-dependent operations.

The vulnerability exists due to the use of a weak pseudorandom number generator in the random value property source when generating values with ${random.value}. A remote attacker can predict generated values to disclose sensitive information and compromise integrity of secret-dependent operations.

${random.uuid} is not affected, and ${random.int} and ${random.long} should never be used for secrets because they are numeric values with a predictable range.


5) Link following (CVE-ID: CVE-2026-40977)

CWE-ID: CWE-59 - Improper Link Resolution Before File Access ('Link Following')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local privileged user to corrupt one file on the host.

The vulnerability exists due to improper link resolution in ApplicationPidFileWriter when writing the PID file at a predictable default path. A local privileged user can place a symlink at the PID file location to corrupt one file on the host.

Exploitation requires the application to be configured to use ApplicationPidFileWriter and requires write access to the PID file location.


6) Observable discrepancy (CVE-ID: CVE-2026-22746)

CWE-ID: CWE-203 - Observable discrepancy

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to observable timing discrepancies in DaoAuthenticationProvider when processing authentication requests for disabled, expired, or locked users. A remote attacker can send authentication attempts for different usernames to disclose sensitive information.

The issue is exposed when applications rely on the UserDetails isEnabled, isAccountNonExpired, or isAccountNonLocked attributes to enable, expire, or lock users.


7) Configuration (CVE-ID: CVE-2026-22748)

CWE-ID: CWE-16 - Configuration

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to modify application integrity checks.

The vulnerability exists due to improper security configuration in NimbusJwtDecoder#withIssuerLocation and NimbusReactiveJwtDecoder#withIssuerLocation when configuring JWT decoding without a separate OAuth2TokenValidator<Jwt>. A remote user can present a JWT with an unexpected issuer to modify application integrity checks.

The issue arises because issuer validation may be assumed to be enabled automatically when using withIssuerLocation.


8) Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-ID: CVE-2026-22751)

CWE-ID: CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to establish multiple authenticated sessions with a one-time token.

The vulnerability exists due to a time-of-check time-of-use race condition in JdbcOneTimeTokenService when handling concurrent requests to the authentication endpoint. A remote attacker can send concurrent authentication requests using a valid one-time token to establish multiple authenticated sessions with a one-time token.

Only applications that explicitly configure one-time token login with JdbcOneTimeTokenService are vulnerable. The default InMemoryOneTimeTokenService is not affected.


9) Input validation error (CVE-ID: CVE-2026-22752)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to conduct cross-site scripting, escalate privileges, or trigger server-side request forgery.

The vulnerability exists due to improper input validation in dynamic client registration endpoints when processing crafted client metadata fields. A remote user can register a malicious client with crafted metadata to conduct cross-site scripting, escalate privileges, or trigger server-side request forgery.

Only deployments with dynamic client registration explicitly enabled are vulnerable.


Remediation

Install update from vendor's website.

References