Bug 2354599 (CVE-2025-22223)

Summary: CVE-2025-22223 spring-security: authorization bypass via incorrectly locating method security annotations on parameterized types or methods
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: anstephe, asoldano, ataylor, avibelli, bbaranow, bgeorges, bmaxwell, boliveir, brian.stansberry, cdewolf, chfoley, clement.escoffier, cmiranda, dandread, darran.lofthouse, dhanak, dkreling, dosoudil, drichtar, ecerquei, fjuma, fmariani, gmalinko, gsmet, ibek, istudens, ivassile, iweiss, janstey, jkoops, jmartisk, jpoth, jrokos, jscholz, kaycoth, kverlaen, lgao, lthon, manderse, mnovotny, mosmerov, msochure, msvehla, nwallace, olubyans, pcongius, pdelbell, pdrozd, peholase, pesilva, pgallagh, pjindal, pmackay, porcelli, probinso, pskopek, rguimara, rmartinc, rowaters, rruss, rstancel, rstepani, rsvoboda, sausingh, sbiarozk, smaestri, sthorger, swoodman, tcunning, tom.jenkinson, tqvarnst, yfang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the Spring Security framework. In certain configurations, an authorization bypass vulnerability may be exploited due to Spring Security not correctly locating method security annotations on parameterized types or methods.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2025-03-24 18:01:44 UTC 
Spring Security 6.4.0 - 6.4.3 may not correctly locate method security annotations on parameterized types or methods. This may cause an authorization bypass. 

You are not affected if you are not using @EnableMethodSecurity, or
you do not have method security annotations on parameterized types or methods, or all method security annotations are attached to target methods