{
  "_class" : "io.jenkins.plugins.analysis.core.restapi.ReportApi",
  "issues" : [
    {
      "addedAt" : 0,
      "authorEmail" : "-",
      "authorName" : "-",
      "baseName" : "spring-security-web-5.8.16.jar",
      "category" : "",
      "columnEnd" : 0,
      "columnStart" : 0,
      "commit" : "-",
      "description" : "",
      "fileName" : "/usr/local/tomcat/webapps/govway.war/WEB-INF/lib/spring-security-web-5.8.16.jar",
      "fingerprint" : "FALLBACK-db203dab",
      "lineEnd" : 1,
      "lineStart" : 1,
      "message" : "CVE-2026-22732: LanguageSpecificPackageVulnerability\u000a\u000aSpring Security: Spring Security: Security policy bypass and information disclosure due to unwritten HTTP headers\u000a\u000aFor additional help see: **Vulnerability CVE-2026-22732**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|CRITICAL|org.springframework.security:spring-security-web|6.5.9, 7.0.4|[CVE-2026-22732](https://avd.aquasec.com/nvd/cve-2026-22732)|\u000a\u000aWhen applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written. \u000aThis issue affects Spring Security: from 5.7.0 through 5.7.21, from 5.8.0 through 5.8.23, from 6.3.0 through 6.3.14, from 6.4.0 through 6.4.14, from 6.5.0 through 6.5.8, from 7.0.0 through 7.0.3.\u000a\u000aPackage: org.springframework.security:spring-security-web\u000aInstalled Version: 5.8.16\u000aVulnerability CVE-2026-22732\u000aSeverity: CRITICAL\u000aFixed Version: 6.5.9, 7.0.4\u000aLink: [CVE-2026-22732](https://avd.aquasec.com/nvd/cve-2026-22732)",
      "moduleName" : "",
      "origin" : "trivy",
      "originName" : "Trivy Security Scanner",
      "packageName" : "-",
      "reference" : "1395",
      "severity" : "HIGH",
      "toString" : "spring-security-web-5.8.16.jar(1,0): CVE-2026-22732: : CVE-2026-22732: LanguageSpecificPackageVulnerability\u000a\u000aSpring Security: Spring Security: Security policy bypass and information disclosure due to unwritten HTTP headers\u000a\u000aFor additional help see: **Vulnerability CVE-2026-22732**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|CRITICAL|org.springframework.security:spring-security-web|6.5.9, 7.0.4|[CVE-2026-22732](https://avd.aquasec.com/nvd/cve-2026-22732)|\u000a\u000aWhen applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written. \u000aThis issue affects Spring Security: from 5.7.0 through 5.7.21, from 5.8.0 through 5.8.23, from 6.3.0 through 6.3.14, from 6.4.0 through 6.4.14, from 6.5.0 through 6.5.8, from 7.0.0 through 7.0.3.\u000a\u000aPackage: org.springframework.security:spring-security-web\u000aInstalled Version: 5.8.16\u000aVulnerability CVE-2026-22732\u000aSeverity: CRITICAL\u000aFixed Version: 6.5.9, 7.0.4\u000aLink: [CVE-2026-22732](https://avd.aquasec.com/nvd/cve-2026-22732)",
      "type" : "CVE-2026-22732"
    }
  ],
  "size" : 1,
  "toString" : "1 warning (high: 1)"
}