Spring Security Advisories

CVE-2024-38810: Missing Authorization When Using @AuthorizeReturnObject

HIGH | AUGUST 19, 2024 | CVE-2024-38810

Description

Applications using @AuthorizeReturnObject or the Spring Security produced AuthorizationAdvisorProxyFactory @Bean to wrap objects may not have all security advice applied.

When method security advice is not applied, it means that annotations like @PreFilter and @PreAuthorize may take no affect on these wrapped objects.

Note that this does not impact any @Beans that use Spring Security's method security advice.

For this to impact an application, all of the following need to be true:

  • AnnotationAwareAspectJAutoProxyCreator must be the auto proxy creator being used to create proxies; this can either be done declaratively by your application or enabled via @EnableAspectJAutoProxy or enabled by Spring Boot by virtue of using spring-aspects or a starter that uses spring-aspects
  • The application must have at least one FactoryBean present in the application context
  • The application must enable method security with @EnableMethodSecurity
  • The application must be wrapping objects using the @AuthorizeReturnObject annotation or the AuthorizationAdvisorProxyFactory @Bean produced by Spring Security
  • The application must be using @PreFilter, @PostFilter, @PreAuthorize, or @PostAuthorize on those wrapped objects

If all of these are true, then some of the method security advice may not be applied to the objects wrapped by @AuthorizeReturnObject or AuthorizationAdvisorProxyFactory.

Applications where any of the following are true are not impacted:

  • The application is not using @PreFilter, @PostFilter, @PreAuthorize, or @PostAuthorize on any wrapped objects
  • The application is not using @EnableMethodSecurity to enable method security
  • The application is not using @AuthorizeReturnObject or the AuthorizationAdvisorProxyFactory @Bean produced by Spring Security
  • The application doesn't have any FactoryBeans
  • The application is not using AnnotationAwareAspectJAutoProxyCreator for auto-proxy creation

Affected Spring Products and Versions

This affects the following Spring Security versions:

  • 6.3.0 and 6.3.1

Mitigation

Users of affected versions should upgrade to the corresponding fixed version.
Affected version(s)Fix versionAvailability
6.3.x6.3.2OSS

No other mitigation steps are necessary.

Credit

This issue was responsibly reported by Josh Cummings.

References

  • Spring Security Reference - https://docs.spring.io/spring-security/reference/servlet/authorization/method-security.html#authorize-object

History

  • 2024-08-19 - Initial Report Published

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all