By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2022-31692

Authorization Bypass
Affects
Spring Security
>=5.6.0 <5.6.9, >=5.7.0 <5.7.5
in
Spring
No items found.
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

View NES Solution

Overview 

Spring Security is a powerful framework that provides authentication, authorization, and other security-related features for Java applications. It integrates with the Spring Framework, letting developers implement complete security measures.

An authorization bypass vulnerability (CVE-2022-31692) has been found in spring-security-web, which allows attackers to evade authorization rules via FORWARD or INCLUDE dispatcher types. This vulnerability arises when specific configurations are in place, potentially enabling unauthorized access to protected resources.

Per OWASP: "Authorization bypass attacks allow an attacker to access resources or perform actions that they are not authorized to perform, by exploiting flaws in the application's authorization mechanisms."

This issue affects multiple versions of spring-security-web, specifically versions 5.6.0 through 5.6.8 and 5.7.0 through 5.7.4, from Spring Security.

Details

Module Info

Vulnerability Info

CVE-2022-31692 is a critical-severity vulnerability found in Spring Security versions 5.6.0 to 5.6.8 and 5.7.0 to 5.7.4. The vulnerability occurs when an application is configured to apply security to forward and include dispatcher types using the AuthorizationFilter, either manually or via the authorizeHttpRequests() method. If the application forwards or includes requests to higher-privilege-secured endpoints without proper authorization checks, an attacker could exploit this flaw to bypass security restrictions and gain unauthorized access.

Credits

  • This vulnerability was reported by VMware Tanzu.

Mitigation

Spring Security 5 is no longer community-supported. The community support version will not receive any updates to address this issue. For more information, see here.

Users of the affected components should apply one of the following mitigations:

  • Upgrade affected applications to supported versions of Spring Security.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.
Pink arrow
Pink arrow
CVE-2012-5055
CVE-2014-0097
CVE-2019-3795
CVE-2019-11272
CVE-2016-1000027
CVE-2020-5408
CVE-2021-22112
CVE-2022-22950
CVE-2022-22965
CVE-2022-22968
CVE-2022-22971
CVE-2022-22970
CVE-2022-22978
CVE-2022-22976
CVE-2022-31692
CVE-2023-20861
CVE-2022-27772
CVE-2023-20863
CVE-2023-20862
CVE-2023-20883
CVE-2024-22234
CVE-2024-22243
CVE-2024-22259
CVE-2024-22262
CVE-2024-38808
CVE-2024-38807
CVE-2024-38809
CVE-2024-38816
CVE-2024-38820
CVE-2024-38821
CVE-2024-38819
CVE-2024-38828
CVE-2024-38827
CVE-2024-38829
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2022-31692
PROJECT Affected
Spring Security
Versions Affected
>=5.6.0 <5.6.9, >=5.7.0 <5.7.5
Published date
October 31, 2022
≈ Fix date
October 31, 2022
Fixed in
NES for Spring
Severity
High
Category
Authorization Bypass
Sign up for the latest vulnerability alerts fixed in
NES for Spring
Rss feed icon
Subscribe via RSS
or
Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.