Bug 2162206 (CVE-2022-31692)

Summary: CVE-2022-31692 spring-security: Authorization rules can be bypassed via forward or include dispatcher types in Spring Security
Product: [Other] Security Response Reporter: Avinash Hanwate <ahanwate>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: abenaiss, aileenc, alampare, alazarot, anstephe, asoldano, ataylor, avibelli, balejosg, bbaranow, bgeorges, bmaxwell, boliveir, brian.stansberry, cdewolf, chazlett, clement.escoffier, dandread, darran.lofthouse, dfreiber, dhanak, dkreling, dosoudil, emingora, fjuma, fmongiar, gjospin, gmalinko, gsmet, hamadhan, ibek, ivassile, iweiss, janstey, jburrell, jmartisk, jnethert, jpavlik, jpoth, jrokos, jross, jwon, kverlaen, lbacciot, lgao, lthon, max.andersen, mizdebsk, mnovotny, mokumar, mosmerov, msochure, msvehla, nwallace, pdelbell, pdrozd, peholase, pgallagh, pjindal, pmackay, probinso, pskopek, rguimara, rogbas, rrajasek, rruss, rstancel, rsvoboda, sbiarozk, sdouglas, smaestri, sthorger, tcunning, tom.jenkinson, tqvarnst, vkumar, yfang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: spring security 5.7.5, spring security 5.6.9 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the spring-security framework. Spring Security could allow a remote attacker to bypass security restrictions caused by an issue when using forward or include dispatcher types. By sending a specially-crafted request, an attacker can bypass authorization rules.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-04-12 17:36:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2162232, 2162233, 2166820, 2178889, 2178890    
Bug Blocks: 2162216    

Description Avinash Hanwate 2023-01-19 05:17:50 UTC 
Spring Security, versions 5.7 prior to 5.7.5 and 5.6 prior to 5.6.9 could be susceptible to authorization rules bypass via forward or include dispatcher types. Specifically, an application is vulnerable when all of the following are true: The application expects that Spring Security applies security to forward and include dispatcher types. The application uses the AuthorizationFilter either manually or via the authorizeHttpRequests() method. The application configures the FilterChainProxy to apply to forward and/or include requests (e.g. spring.security.filter.dispatcher-types = request, error, async, forward, include). The application may forward or include the request to a higher privilege-secured endpoint.The application configures Spring Security to apply to every dispatcher type via authorizeHttpRequests().shouldFilterAllDispatcherTypes(true)

https://tanzu.vmware.com/security/cve-2022-31692
https://security.netapp.com/advisory/ntap-20221215-0010/
Comment 7 Avinash Hanwate 2023-03-16 04:13:19 UTC 
Created log4j tracking bugs for this issue:

Affects: fedora-36 [bug 2178889]
Affects: fedora-37 [bug 2178890]
Comment 8 errata-xmlrpc 2023-04-12 11:58:53 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2023:1655 https://access.redhat.com/errata/RHSA-2023:1655
Comment 9 Product Security DevOps Team 2023-04-12 17:36:13 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-31692
Comment 13 errata-xmlrpc 2023-06-29 20:08:14 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.12

Via RHSA-2023:3954 https://access.redhat.com/errata/RHSA-2023:3954