VMware-owned Spring officially released a security bulletin, disclosing that there is an authorization rule bypass vulnerability (CVE-2022-31692) in a specific version of the Spring framework. The severity is high. This flaw was found by Osword from SGLAB of Legendsec at Qi’anxin Group.
The Spring Framework is an application framework and inversion of the control container for the Java platform. The framework’s core features can be used by any Java application, but there are extensions for building web applications on top of the Java EE platform.
Spring Framework versions 5.7 prior to 5.7.5 and 5.6 prior to 5.6.9 are impacted. Specifically, an application is vulnerable when all of the following are true:
- The application expects that Spring Security applies security to forward and include dispatcher types.
- The application uses the AuthorizationFilter either manually or via the authorizeHttpRequests() method.
- The application configures the FilterChainProxy to apply to forward and/or include requests (e.g. spring.security.filter.dispatcher-types = request, error, async, forward, include).
- The application may forward or include the request to a higher privilege-secured endpoint.
- The application configures Spring Security to apply to every dispatcher type via authorizeHttpRequests().shouldFilterAllDispatcherTypes(true)
An application is not vulnerable if any of the following is true:
- The application does not use authorizeHttpRequests() or the AuthorizationFilter.
- The application does not forward/include requests.
- The application does not need to configure Spring Security to apply to FORWARD and INCLUDE dispatcher types.
Affected version
Spring Framework
-
- 5.7.0 to 5.7.4
- 5.6.0 to 5.6.8
Unaffected version
Spring Framework
-
- 5.7.5
- 5.6.9
Solution
At present, Spring released a new version to fix the CVE-2022-31692 flaw, and affected users are advised to update the Spring framework to the unaffected version. There are temporary mitigations that can be implemented to prevent attacks.
