Bug 2162206 (CVE-2022-31692) - CVE-2022-31692 spring-security: Authorization rules can be bypassed via forward or include dispatcher types in Spring Security
Summary: CVE-2022-31692 spring-security: Authorization rules can be bypassed via forwa...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-31692
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2162232 2162233 2166820 2178889 2178890
Blocks: 2162216
TreeView+ depends on / blocked
 
Reported: 2023-01-19 05:17 UTC by Avinash Hanwate
Modified: 2023-11-13 11:47 UTC (History)
77 users (show)

Fixed In Version: spring security 5.7.5, spring security 5.6.9
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the spring-security framework. Spring Security could allow a remote attacker to bypass security restrictions caused by an issue when using forward or include dispatcher types. By sending a specially-crafted request, an attacker can bypass authorization rules.
Clone Of:
Environment:
Last Closed: 2023-04-12 17:36:18 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:1655 0 None None None 2023-04-12 11:58:56 UTC
Red Hat Product Errata RHSA-2023:3954 0 None None None 2023-06-29 20:08:18 UTC

Description Avinash Hanwate 2023-01-19 05:17:50 UTC
Spring Security, versions 5.7 prior to 5.7.5 and 5.6 prior to 5.6.9 could be susceptible to authorization rules bypass via forward or include dispatcher types. Specifically, an application is vulnerable when all of the following are true: The application expects that Spring Security applies security to forward and include dispatcher types. The application uses the AuthorizationFilter either manually or via the authorizeHttpRequests() method. The application configures the FilterChainProxy to apply to forward and/or include requests (e.g. spring.security.filter.dispatcher-types = request, error, async, forward, include). The application may forward or include the request to a higher privilege-secured endpoint.The application configures Spring Security to apply to every dispatcher type via authorizeHttpRequests().shouldFilterAllDispatcherTypes(true)

https://tanzu.vmware.com/security/cve-2022-31692
https://security.netapp.com/advisory/ntap-20221215-0010/

Comment 7 Avinash Hanwate 2023-03-16 04:13:19 UTC
Created log4j tracking bugs for this issue:

Affects: fedora-36 [bug 2178889]
Affects: fedora-37 [bug 2178890]

Comment 8 errata-xmlrpc 2023-04-12 11:58:53 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2023:1655 https://access.redhat.com/errata/RHSA-2023:1655

Comment 9 Product Security DevOps Team 2023-04-12 17:36:13 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-31692

Comment 13 errata-xmlrpc 2023-06-29 20:08:14 UTC
This issue has been addressed in the following products:

  Red Hat Fuse 7.12

Via RHSA-2023:3954 https://access.redhat.com/errata/RHSA-2023:3954


Note You need to log in before you can comment on or make changes to this bug.