CVE-2024-38810: Spring Security Flaw Leaves Applications Open to Unauthorized Access
A high-severity vulnerability (CVE-2024-38810) has been discovered in Spring Security, potentially allowing unauthorized access to sensitive data within affected applications. The vulnerability impacts Spring Security versions 6.3.0 and 6.3.1.
Spring Security’s powerful method security features allow developers to control access to application methods using annotations like @PreAuthorize and @PostAuthorize. However, CVE-2024-38810 reveals a significant flaw: when objects are wrapped using @AuthorizeReturnObject or the AuthorizationAdvisorProxyFactory @Bean, not all security advice may be correctly applied.
This lapse means that critical security annotations like @PreFilter, @PostFilter, @PreAuthorize, and @PostAuthorize may fail to enforce the expected security restrictions on these wrapped objects, leaving the application vulnerable to unauthorized access or data exposure.
The vulnerability was responsibly reported by Josh Cummings.
The vulnerability only affects applications meeting ALL the following conditions:
- Using
AnnotationAwareAspectJAutoProxyCreatorfor auto-proxy creation - Having at least one
FactoryBeanin the application context - Enabling method security with
@EnableMethodSecurity - Wrapping objects using
@AuthorizeReturnObjectorAuthorizationAdvisorProxyFactory - Using
@PreFilter,@PostFilter,@PreAuthorize, or@PostAuthorizeon those wrapped objects
Users of affected Spring Security versions are urged to upgrade to version 6.3.2 immediately. This update addresses the missing authorization check and ensures proper enforcement of security advice.
Related Posts:
- Spring Framework Multiple Security Vulnerability
- Muti vulnerabilities (Remote Code Execution) exist on Spring
- Spring framework 0-day remote code execution vulnerability
- Spring Data REST exists serious flaw that allows remote attackers to execute arbitrary commands
- Spring Data Commons Remote Code Execution Vulnerability
