Description

Spring Security may not correctly locate method security annotations on parameterized types or methods. This may cause an authorization bypass.

Your application may be affected by this if the following are true:

1. You are using @EnableMethodSecurity, and
2. You have a method security annotation on a parameterized superclass, interface, or overridden method and no annotation on the target method

In that case, the target method may be able to be invoked without proper authorization.

You are not affected if:

1. You are not using @EnableMethodSecurity, or
2. You do not have method security annotations on parameterized types or methods, or
3. All method security annotations are attached to target methods

Affected Spring Products and Versions

Spring Security:

• 6.4.0 - 6.4.3

Mitigation

Users of affected versions should upgrade to the corresponding fixed version.

No other mitigation steps are necessary.

If you cannot upgrade, then you can either:

1. Ensure the target method has the annotations instead of its parameterized ancestor, or
2. Publish an AuthorizationManagerBeforeMethodInterceptor that correctly looks for annotations on parameterized types (please see a sample in the Spring Security issue log)

Credit

This vulnerability was discovered and responsibly reported independently by Vasil Ilchev and Neale Upstone.

References

• https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:X/RL:O/RC:C/CR:L/IR:X/AR:X/MAV:N/MAC:L/MPR:N/MUI:N/MS:U/MC:L/MI:N/MA:N&version=3.1