Spring Security Advisories

RSS feed

CVE-2022-31692: Authorization rules can be bypassed via forward or include dispatcher types in Spring Security

HIGH | OCTOBER 31, 2022 | CVE-2022-31692

Description

Spring Security, versions 5.7 prior to 5.7.5 and 5.6 prior to 5.6.9 could be susceptible to authorization rules bypass via forward or include dispatcher types.

Specifically, an application is vulnerable when all of the following are true:

  • The application expects that Spring Security applies security to forward and include dispatcher types.
  • The application uses the AuthorizationFilter either manually or via the authorizeHttpRequests() method.
  • The application configures the FilterChainProxy to apply to forward and/or include requests (e.g. spring.security.filter.dispatcher-types = request, error, async, forward, include).
  • The application may forward or include the request to a higher privilege-secured endpoint.
  • The application configures Spring Security to apply to every dispatcher type via authorizeHttpRequests().shouldFilterAllDispatcherTypes(true)

An application is not vulnerable if any of the following is true:

  • The application does not use authorizeHttpRequests() or the AuthorizationFilter.
  • The application does not forward/include requests.
  • The application does not need to configure Spring Security to apply to FORWARD and INCLUDE dispatcher types.

Affected Spring Products and Versions

  • Spring Security
    • 5.7.0 to 5.7.4
    • 5.6.0 to 5.6.8

Mitigation

Users of affected versions should apply the following mitigations:

  • 5.7.x users should upgrade to 5.7.5
  • 5.6.x users should upgrade to 5.6.9
  • Users who cannot change versions, should use authorizeRequests().filterSecurityInterceptorOncePerRequest(false) instead of authorizeHttpRequests().shouldFilterAllDispatcherTypes(true)
  • Users with version < 5.7.0 which does not have shouldFilterAllDispatcherTypes available, should add an ObjectPostProcessor:
    authorizeHttpRequests().withObjectPostProcessor(new
ObjectPostProcessor() {
  @Override
  public O postProcess(O filter) {
   filter.setObserveOncePerRequest(false);
   filter.setFilterAsyncDispatch(true);
   filter.setFilterErrorDispatch(true);
   return filter;
  }});

Note that in Spring Security 5, the default behavior is to not apply the filters more than once to a request, therefore you have to explicitly configure Spring Security to do that. In addition, the FilterChainProxy is also not configured to be invoked on forward and include dispatcher types, depending on you to do it yourself.

Releases that have fixed this issue include:

  • Spring Security
    • 5.7.5
    • 5.6.9

Credit

This issue was identified and responsibly reported by Osword from SGLAB of Legendsec at Qi'anxin Group.

References

History

  • 2022-10-31: Initial vulnerability report published.

Reporting a vulnerability

To report a security vulnerability for a project within the Spring portfolio, see the Security Policy

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all