Connect with sales  +1 877-586-1965

By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2021-22112

Denial of Service
Affects
Spring Security
<5.2.9.RELEASE, >=5.3.0 <5.3.9.RELEASE, >=5.4.0 <5.4.4
in
Spring
No items found.
Exclamation circle icon
Patch Available
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs
View NES Solution

Overview

Spring Security is a comprehensive Java security framework for securing enterprise-level applications. It provides a powerful, flexible programming model that simplifies the development of secure applications by allowing you to manage authentication, authorization, and other security concerns with ease. Spring Security integrates seamlessly with the Spring Framework, offering robust tools for configuring access controls, managing user roles, and protecting resources, all while allowing Java to be your primary language for application development.

A vulnerability (CVE-2021-22112) has been identified in Spring Security, which may cause it to fail to save the SecurityContext to the HttpSession if it’s updated multiple times in a single request. Though it cannot be triggered by an attacker, it can unintentionally extend elevated privileges across an application if improperly managed, potentially exposing sensitive areas to unauthorized access.

This issue affects multiple versions of Spring Security.

Details

Module Info

Vulnerability Info

This Low-severity vulnerability, CVE-2021-22112, in Spring Security affects versions 5.4.0 to 5.4.3, 5.3.0 to 5.3.8.RELEASE, 5.2.0 to 5.2.8.RELEASE, and older unsupported versions.

The issue arises when a developer updates the SecurityContext multiple times within a single HTTP request. Specifically, if the SecurityContext is modified before the HttpResponse is committed, then committed, and subsequently changed again before the SecurityContextPersistenceFilter completes, the framework may fail to save the final SecurityContext to the HttpSession.

While this bug cannot be exploited directly by an attacker, it can create security loopholes if an application relies on temporary privilege elevation. If elevated privileges are intended only for a small part of the application, this vulnerability could unintentionally extend those privileges, potentially exposing parts of the application to unauthorized access or actions.

Steps To Reproduce

This commit contains a test demonstrating the issue. This test fails on unpatched versions.

Prerequisites

Set up a Spring application using an affected Spring Security version (e.g., 5.4.0 to 5.4.3 or 5.3.x to 5.3.8).

Ensure the application has a basic security configuration, including SecurityContextPersistenceFilter to manage session security.

Reproduction Steps

  1. Create a Controller Method: Set up a method in a controller to handle a request, where you change the SecurityContext multiple times in sequence.
  2. Change SecurityContext before response is committed:
    1. In the controller method, update the SecurityContext with elevated privileges before the HttpResponse is committed.
    2. This might involve setting a new Authentication with elevated roles.
  3. Commit the HttpResponse:
    1. Explicitly or implicitly commit the HttpResponse (e.g., by sending part of the response back to the client or using a ResponseEntity).
  4. Change SecurityContext again:
    1. After committing the response, attempt to change the SecurityContext once more within the same request, this time with reduced privileges.
  5. Observe the SecurityContext:
    1. After the SecurityContextPersistenceFilter completes, check the saved SecurityContext in the session.
    2. The SecurityContext may still hold elevated privileges from the initial change, as the last modification may not be persisted.

Expected Result

If the vulnerability is present, the session’s SecurityContext will retain elevated privileges from the first modification rather than the final state, potentially exposing unintended parts of the application with higher access.

Credits

  • Daniel Beck
  • Jeff Thompson
  • Jesse Glick
  • Wadeck Follonier
  • CloudBees, Inc.

Mitigation

Spring Security 4 and 5 are no longer community-supported. The community support version will not receive any updates to address this issue. For more information, see here.

Users of the affected components should apply one of the following mitigations:

  • Upgrade affected applications to supported versions of Spring Security.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.
Pink arrow
Pink arrow
CVE-2021-22112
CVE-2022-22978
CVE-2022-22976
CVE-2022-27772
CVE-2023-20883
CVE-2024-22243
CVE-2024-22259
CVE-2024-22262
CVE-2024-38807
CVE-2024-38809
CVE-2024-38816
CVE-2024-38820
CVE-2024-38821
CVE-2024-38819
CVE-2024-38828
CVE-2024-38827
CVE-2024-38829
CVE-2024-53677
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2021-22112
PROJECT Affected
Spring Security
Versions Affected
<5.2.9.RELEASE, >=5.3.0 <5.3.9.RELEASE, >=5.4.0 <5.4.4
Published date
February 19, 2021
≈ Fix date
November 22, 2024
Fixed in
NES for Spring
Severity
Low
Category
Denial of Service